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I  INTRODUCTION 


This  is  a  final  raport  oovering  progress  on  a  2-year  research  effort  toward 
the  development  of  new  theorem-proving  methods  for  program  verification,  and 
the  empirical  investigation  of  these  methods  in  aotual  verification  systems. 

In  the  last  several  years,  interest  in  verification  technology  has  been 
prompted  by  the  tremendous  cost  of  developing,  debugging,  and  maintaining 
software.  The  creation  of  new  software  produots  is  frequently  oharaoterixed 
by  time  and  oost  overruns,  and  insufficient  modifiability  and  reliability. 
Formal  program  verification  offers  a  high  payoff,  though  teohnioally  difficult 
approach  to  the  solution  of  these  problems.  Admittedly,  methods  for  proving 
the  correctness  of  programs  in  a  mathematical  way  have  not  yet  been  developed 
to  the  point  of  practicality  for  widespread  everyday  use.  Nevertheless,  muoh 
progress  has  been  made  in  just  the  last  2  or  3  years,  and  the  use  of  these 
techiques  for  verifying  highly  oritical  software  now  seems  both  praotioal  and 
inevitable. 

The  experimental  verification  system  we  have  developed  under  the  present 
contraot,  in  fact,  is  now  successfully  being  used  in  the  proof  of  oorreotness 
of  the  design  of  a  sophisticated,  fault-  tolerant  operating  system  developed 
under  NASA  support  [Contract  No.  NAS1-15428].  We  believe  that  the  technology 
embodied  ir  this  experimental  system  is  now  nearly  ready  for  transfer  to  a 
production  environment  staffed  by  well-trained  (but  not  necessarily 
research-oriented)  users.  Although  more  research  will  be  necessary  to  develop 
this  system  to  the  point  of  widespread  use,  we  feel  that  the  feasibility  of 
verification  as  a  practical  technique  is  finally  at  hand,  and  we  are  currently 
seeking  new  Air  Force  support  for  the  needed  additional  work. 

The  research  conducted  during  the  course  of  the  project  focused  on  methods  for 
simplifying  formulas  of  the  kind  that  arise  frequently  in  the  verification  of 
programs.  The  importance  of  simplification  methods,  as  opposed  to  pure  proof 
methods,  was  pointed  up  by  verification  work  conducted  under  a  previous  AFOSR 
contract.  Much  of  the  effort  in  the  latter  years  of  that  contract  wac 
directed  toward  developing  fast,  automatic  deduction  mechanisms  in  a  system 
for  verifiying  JOCIT  programs  (RADC  contract  F30602-75-C-0042) .  Although  the 
work  on  fast  decision  procedures  enabled  us  to  prove  automatically  many  of  the 
verification  conditions  and  fragments  of  verification  conditions  generated  in 
the  RADC  effort,  it  by  no  means  facilitated  automatic  proof  of  all  of  the 
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formulas  we  encountered.  The  inadequacies  were  of  two  kinds:  speed  and 
generality.  The  first  of  these  difficulties  was  made  manifest  by  formulas 
whose  Boolean  structure  produoed  a  combinatorial  explosion  too  large  to  be 
handled  in  a  reasonable  amount  of  time.  The  seoond  deficiency  was  made 
apparent  by  large  formulas  that  could  be  proven  neither  valid  nor 
unsatisfiable  by  the  decision  procedures.  For  such  formulas  (usually 
verification  conditions  arising  from  improperly  formulated  induotive 
invariants),  these  procedures  leave  the  user  with  no  clue  as  to  the  reason  why 
the  given  formula  is  not  valid. 

The  work  in  developing  simplification  methods  conducted  under  the  ourrent 
project  addresses  both  of  these  difficulties.  The  algorithms  embodied  in  the 
experimental  system  we  implemented  have  been  found  to  deal  remarkably  well 
with  the  propositional  structure  that  typically  arises  in  verification 
conditions.  The  method  for  simplifying  interpreted  formulas  that  was 
developed  under  the  oontraot  has  been  found  quite  effective  in  reducing  the 
size  of  formulas  whose  validity  could  not  be  established,  thus  permitting  the 
:ser  to  understand,  through  examination  of  the  simplified  formula,  where  the 
problem  lies. 

Research  conducted  under  the  project  produced  a  substantial  body  of  results  in 
addition  to  those  inoluded  in  its  original  goals.  Much  of  this  additional 
work  focuses  on  simplification  methods  based  on  canonical  term  rewrite  systems 
investigated  during  the  first  year  of  the  project.  Additional  work  in  the 
second  year  includes  the  investigation  of  deduotive  techniques  for  quantified 
formulas  over  the  reals  with  inequalities. 

The  next  few  subsections  describe  the  relation  of  this  work  to  other  Computer 
Science  Laboratory  work,  and  give  an  overview  of  results.  Later  sections, 
most  of  which  are  extracted  from  academic  papers,  form  the  main  body  of  the 
report . 

1.1.  Relation  to  Other  Computer  Soience  Laboratory  Projects 

The  Computer  Scienoe  Laboratory  at  SRI  has  in  the  last  several  years  conducted 
numerous  projects  involving  program  verification.  The  interaction  among  these 
various  efforts  has  been  of  substantial  mutual  benefit.  The  current  effort, 
for  example,  has  benefited  from  the  strong  motivation  for  deduction  tools 
provided  by  the  more  application-  oriented  projects.  Conversely,  our  work  in 
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the  last  2  years  has  been,  end  continues  to  be,  of  utility  In  both  our  effort 
to  prove  the  oorreotness  of  the  SIFT  fault- tolerant  operating  system,  and  In  a 
projeot  for  the  Rome  Air  Development  Center  to  develop  verifiers  for  several 
versions  of  the  JOVIAL  programming  language.  Other  applioatlon-oriented 
projects  have  needed  (and  will  need)  sophisticated  deductive  tools  for  the 
verification  of  seourity  properties  of  system  software. 

Our  work  for  Rome  Air  Development  center  has  been  in  progress  almost 
continuously  sinoe  1975.  Under  contracts  F30602-75-C-0042  and 
F30602-76-C-0204  ("Rugged  Programming  Environment",  Phases  RPE/1  and  RPE/2), 
we  developed  early  versions  of  program  verifiers  for  a  subset  of  JO VIAL/ J 3  and 
for  JOCIT.  A  subsequent  ocntraot  with  RADC  (F30602-78-C-0031 )  called  for  the 
development  of  a  programming  environment  for  JOVIAL-J73/I  in  which  an  Air 
Force  programmer  can  design,  implement,  debug,  and  prove  correctness  for 
programs  in  this  language.  During  the  current  reporting  period,  several 
aspeots  of  the  project  work  have  been  applied  to  the  development  of  the  Rugged 
Jovial  Environment  (RJE)  program  verification  system.  The  RJE  projeot  is 
concerned  with  the  application  of  program  verification  techniques  to 
JOVIAL-J73  software. 

Mutually  beneficial  relationships  have  arisen  also  with  several  other 
government-supported  projects  in  this  laboratory.  Among  these  are: 

-  A  Provably  Seoure  Operating  System  (PSOS):  The  System,  Its 
Applications,  and  Proofs.  (SRI  Projeot  4332,  Contract 
DAAB03-75-C0399.  for  the  U.S.  Army.  March  24,  1975  to  February  11, 

1977  plus  subsequent  work  until  August  i/79). 

-  Kernelized  Seoure  Operating  System  (KSOS) — Design  and  Verification. 

(SRI  Project  6654,  Contract  MDA902-77-C-O333.  Subcontract 
SC-606079-EW,  for  Ford  Aerospace.  August  3.  1977  to  April  30,  1978). 

-  Formal  Transformation  of  Computer  Programs.  (SRI  Project  4079, 

Contract  N00014-75-C-Q816  for  the  Office  of  Naval  Research.  March  3. 

1975  to  May  31,  1980). 

-  Formal  Methods  for  Fault  Toleranoe  in  Distributed  Data  Processing 
Systems.  (SRI  Project  7242,  Contract  DASG60-78-C-0046  for  BMP  ATC. 
February  27,  1978  to  September  30,  1979). 

-  Investigation,  Development,  and  Evaluation  of  Psrformanoe  Proving 
for  Fault-tolerant  Computers.  (SRI  Project  7821,  Contract 
NAS1-15528  for  NASA-Langley .  September  15,  1978  to  September  15, 

1981). 
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-  Mechanizing  the  Mathematics  of  Computer  Program  Analysis.  (SRI 
Project  8527.  Grant  MCS  79-04081  for  the  National  Soience 
Foundation.  May  15.  1979  to  May  15.  1982). 

-  Development  of  the  Hierarchical  Development  Model  (HDH).  (SRI 
Projeot  1015,  Contraot  N0003S-79-C-0463  for  the  Departaer,  of  the 
Navy.  September  28,  1979  to  September  30,  1980). 

-  0BJ-1 .  A  Study  in  Executable  Algebraic  Formal  Specification.  (SRI 
Projeot  1350,  Contraot  N00014-80-C-0296  for  the  Department  of  the 
Navy.  August  18,  1980  to  August  17,  1981). 

-  Hierarohioal  Methodologies  for  Communication  Protocol.  (SRI  Projeot 
1879,  Contraot  NB80NAAE3396  for  the  National  bureau  of  Standards. 

August  21,  1980  to  December  31,  1980). 

-  Towards  an  Editor  and  Interpreter  for  System  Specifications.  (SRI 
Project  2153,  Letter  dated  6-25-80  for  Philips  Research 
Laboratories.  September  18,  1980  to  September  1,  1981). 

-  PSOS  Implementation  Study  —  Consulting  Report.  (SRI  Projeot  2958, 
Contraot  MDA904-81-C-0422  for  U.S.  Government.  Maroh  12,  1981  to 
September  15,  1982). 

1.2  Overview  of  Results 

The  first  year  of  the  project  was  primarily  concerned  with  Task  1  of  the 
proposed  work  statement,  i.e.,  the  investigation  of  techniques  for 
simplification  of  nonlogical  expressions.  Emphasis  was  plaoed  on  elaborating 
the  method  of  interpreted  implicants.  The  investigation  was  carried  out  in 
collaboration  with  Professor  Donald  Loveland,  of  Duke  University.  Preliminary 
results  of  this  study  were  presented  at  the  Fifth  Conference  on  Automated 
Deduction  held  in  July,  1980  at  Les  Arcs,  Franoe. 

A  substantial  body  of  work  on  canonical  term  writing  systems  was  also 
undertaken  during  the  first  year,  under  partial  support  of  the  project. 
Participating  in  this  work  were  a  number  of  visitors  to  SRI,  including  Gerard 
Huet  and  Jean-Marie  Hullot  (of  INRIA,  France),  and  Paul  Gloess  (SRI 
International  Fellow).  Four  academic  papers  were  produced,  eaoh  touching  on  a 
different  aspect  of  the  use  of  rewrite  systems  to  simplify  formulas.  Three  of 
these  papers  ("Adding  Dynamic  Paramodulation  to  Rewrite  Algorithms"  (Gloess), 
"Canonical  Forms  and  Unification"  (Huet  and  Hullot),  and  "A  Catalog  of 
Canonical  Term  Writing  Systems"  (Hullot))  were  presented  at  the  Automated 
Deduction  conference.  "Equations  of  Rewrite  Rules:  A  Survey"  (Huet  and  Oppen) 
appeared  in  the  proceedings  of  the  1980  Conference  on  the  Foundations  of 
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Computer  Soienoe  held  in  Santa  Barbara,  Ca.  Copies  of  these  papers  were 
included  in  the  first  year's  report. 

The  seoond  year  ef  the  projeot  included  work  on  all  three  tasks  of  the  work 
statement.  Further  improvements  to  the  method  of  interpreted  implioauts  were 
devised.  A  complete  description  of  the  method,  including  these  improvements, 
was  issued  as  a  Computer  Soienoe  Laboratory  teohnioal  report  (CSL-117),  and  is 
inoluded  as  Seotion  II  of  this  report.  Another  faoet  of  the  seoond  year's 
work  was  the  investigation  of  means  for  limited-expansion  manipulation  of 
propositional  expressions.  Several  experimental  oomputer  programs  were 
written  in  the  Interlisp  language  and  used  to  develop  algorithms  to  minimize 
the  combinatorial  effect  of  case  splitting  in  dealing  with  the  propositional 
struoture  of  formulas.  The  heuristics  developed  in  this  study  were  then 
incorporated  within  a  full-blown  experimental  theorem  prover,  whioh  has  been 
used  intensively  in  a  number  of  verification  efforts  (listed  in  the  previous 
subsection)  in  whioh  the  Computer  Soienoe  Laboratory  is  now  engaged.  A 
description  of  this  prover  is  given  in  Seotion  III  of  this  report,  and  the 
critical  sections  of  the  algorithms  themselves,  represented  in  Lisp,  are 
supplied  in  an  appendix.  An  extensive  example  illustrating  the  use  of  this 
system  in  the  proof  of  the  SIFT  operating  system  has  been  provided  by  Michael 
Melliar-Smith  and  Richard  L.  Schwartz. 

In  addition  to  the  work  specifically  called  for  by  the  projeot,  the  second 
year's  activities  inoluded  investigations  in  the  related  area  of  procedures 
for  deoiding  formulas  involving  general  equalities.  A  modified  resolution 
procedure  for  this  purpose  was  devised  in  collaboration  with  Prof.  W.  W. 
Bledsoe  and  Mr.  Robern  Neveln,  both  of  the  University  of  Texas,  Section  IV  of 
this  report  describes  the  procedure  in  detail  and  gives  completeness  results. 
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Simplifying  Interpreted  Formulas1 
D.  W.  Loveland2and  R.  E.  Shostak^ 

Abatraot 

A  method  is  presented  for  converting  a  decision  procedure  for  unquantified 
formulas  in  an  arbitrary  first-order  theory  to  a  simplifier  for  such  formulas. 
Qiven  a  quantifier-free  disjunctive  normal  form  (d.n.f.)  formula,  the  method 
produces  a  simplest  (according  to  a  given  criterion)  d.n.f.  equivalent  from 
among  all  formulas  with  atoms  in  the  original  formula.  The  method  is 
predicated  on  techniques  for  minimizing  purely  boolean  expressions  in  the 
presence  of  "don't-care"  conditions.  The  don't-cares  are  used  to  capture  the 
semantics  of  the  interpreted  literals  in  the  formula  to  be  simplified. 

Two  procedures  are  described:  a  primitive  version  of  the  method  that  advances 
the  fundamental  idea,  and  a  more  refined  version  intended  for  practical  use. 
Complexity  issues  are  discussed,  as  is  a  nontrivial  example  illustrating  the 
utility  of  the  method.  The  last  section  describes  an  alternative  to  the  first 
phase  of  the  refined  version  that  is  preferable  in  certain  cases. 


^n  abbreviated  version  of  this  paper  was  presented  at  the  5th  Conference  on 
Automated  Deduction. 

2Dept,  of  Comp.  Sei.,  Duke  University,  Durban,  NC  27706 

^Computer  Science  Lab.,  SRI  International,  333  Ravenswood,  Menlo  Park,  CA 
94025,  (415)  326-6200  x2879;  supported  in  part  by  AFOSR  contract 
F49620-79-C-0099 • 


1.  Introduction 


The  problem  of  simplifying  logical  expressions  was  first  addressed  in  the 
early  1950s  in  the  form  of  boolean  minimization.  The  motivation  at  that  time 
was  to  reduce  as  much  as  possible  the  number  of  components  needed  to  realize  a 
given  switching  cirouit.  Minimization  techniques  were  developed  to  operate 
according  to  a  variety  of  criteria,  including  the  fewest  literals  in  a 
sum-of-products  or  prod urt-of- sums  expression,  the  fewest  terms,  or  the  fewest 
terms  and  occurrences  of  literals. 

The  problem  of  simplifying  logical  expressions  has  resurfaced  in  the  last  few 
years  in  connection  with  program  verification,  synthesis,  and  allied  concerns 
in  artificial  intelligence.  In  these  applications,  the  expressions  to  be 
simplified  are  no  longer  merely  propositional;  they  may  contain  interpreted 
predicates  or  function  symbols.  Even  the  problem  of  defining  useful 
simplicity  criteria  for  such  formulas  can  be  tricky,  since  the  usual  syntactic 
measures  are  sometimes  misleading.  For  example,  the  formula  y>x  V  5y<x+10 
(where  x  and  y  are  understood  to  range  over  positive  integers)  is  much  more 
concise  than  the  equivalent  ( x= 1  A  y= 1 )  V  (x=1  A  y=2)  V  (x=2  A  y«2)  , 
even  though  the  latter  is  likely  to  be  mors  useful  in  many  theorem-proving 
situations. 

Ideally,  one  would  like  a  general-purpose  method  for  simplifying  formulas  in 
arbitrary  nonlogical  theories  with  respect  to  arbitrary  simplification 
measures.  Though  such  a  method  is  clearly  too  much  to  hope  for,  the  approach 
described  herein  is  a  step  in  the  direction  of  this  goal.  Our  method  may  be 
viewed  as  a  practical  way  of  converting  a  decision  procedure  for  unquantified 
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formulas  in  an  arbitrary  first-order  theory  to  a  simplifier  for  such  formulas. 
Given  a  quantifier-free  formula  in  d.n.f.,  it  produces  a  simplest  (according 
to  any  given  reasonable  criterion)  d.n.f.  equivalent  from  among  all  formulas 
whose  atoms  occur  in  the  original  formula.  By  "reasonable"  criterion,  we  mean 
one  according  to  which  the  deletion  of  a  literal  from  a  term  or  of  a  term  from 
a  disjunction  always  produces  a  simpler  formula. 

Before  describing  the  approach,  we  might  point  out  that  simplification  can 
often  be  accomplished  merely  by  eliminating  unsatisfiable  disjuncts  in  a 
disjunctive  normal  form.  (Note,  in  particular,  that  this  technique 
necessarily  reduces  all  unsatisfiable  formulas  to  "false.")  The  elimination 
of  such  disjuncts  is  not,  however,  sufficient  to  produce  a  simplest  form  for 
nonvalid  formulas.  The  difficulty  is  illustrated  by  the  following  formula 
from  the  theory  of  Presburger  arithmetic  with  function  symbols: 

F  s  (y*z)  V  (x<y  A  x+y<0)  V  (xO  A  f(  z)  *f(  y)  +  1 ) 

l 

While  none  of  the  disjuncts  of  F  is  unsatisfiable,  F  does  have  a  much  simpler 
equivalent,  namely 

y*z  V  x£1 

Isolated  consideration  of  the  terms  in  the  d.n.f.  expression  is  thus 
insufficient . 

i* 

Our  method  is  presented  in  five  parts.  Section  2  describes  and  proves  the 
correctness  of  the  standard  procedure,  a  primitive  version  that  advances  the 
fundamental  idea.  A  much  more  efficient  version,  called  the  modified 
procedure ,  is  given  and  justified  in  Section  3.  Section  4  gives  a  brief 
analysis  of  the  computational  complexity  of  the  two  versions,  and  Section  5 
summarizes  a  nontrivial  example  that  illustrates  the  utility  of  the  modified 
method.  The  last  section  presents  an  alternative  to  the  first  phase  of  the 
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modified  procedure  that  is  beneficial  in  certain  cases. 

2.  The  Standard  Procedure 

The  procedure  given  in  this  section  takes  as  input  a  quantifier-free  d.n.f. 
(c.n.f.)  formula  in  a  first-order  theory  and  returns  an  equivalent  d.n.f. 
(c.n.f.)  expression  with  the  property  that  no  other  such  expression  with  atoms 
from  the  original  formula  is  simpler  with  respect  to  a  given  reasonable  (in 
the  sense  given  earlier)  measure  of  simplicity.  The  procedure  works  with  any 
first-order  theory  for  which  the  satisfiabil ity  of  quantifier-free 
conjunctions  of  literals  can  be  tested. 

One  can  view  the  method  as  a  nonlogical  counterpart  of  tne  systematic 
minimization  techniques  developed  for  purely  proposition  formulas.  In  fact, 
the  technique  makes  use  of  the  method  of  prime  implicants  first  described  by 
Quine  and  McOLuskey  [3,4]. 

Our  treatment  assumes  that  a  d.n.f.  expression  is  to  be  found.  One  can  obtain 
c.n.f.  expressions  using  a  dual  method. 

We  begin  with  a  brief  review  of  Quine's  method  of  prime  implicants  for  purely 

propositional  expressions.  A  more  detailed  account  is  given  in  [1].  t, 

Defn.  A  term  is  a  conjunction  of  literals. 

Defn .  A  term  t1  subsumes  a  term  t 2  if  each  literal  of  t2  is  also  a 

1 iteral  of  t 1 . 

Defn.  An  impl icant  of  a  formula  F  is  a  term  that  implies  F. 

Defn .  A  prime  impl icant  of  a  formula  F  is  a  term  that  implies  F  and 

subsumes  no  shorter  term  that  implies  F. 

The  fundamental  interest  of  prime  implicants  is  that  any  simplest  d.n.f. 


equivalent  G  for  a  propositional  foris'ila  F  must  be  a  disjunction  of  prime 
implicants  of  F.  To  see  this,  suppose  that  some  term  t  of  G  is  not  a  prime 
implicant  of  F.  Because  t  implies  F  but  is  not  a  prime  implicant,  t  must 
subsume  a  shorter  term  t'  that  also  implies  F.  The  expression  obtained  from  G 
by  replacing  t  with  t'  is  still  equivalent  to  F,  contradicting  the  assumption 
that  G  is  simplest. 

Several  methods  can  be  used  to  determine  the  set  of  prime  implicants  of  a 
formula  F.  One  such,  called  the  method  of  iterated  consensus  [5,6]  begins  with 
the  set  of  terms  in  a  d.n.f.  form  of  F.  The  nontautological  resolvents  of 
te-ms  in  the  set  are  repeatedly  formed  and  added  to  the  set.  At  the  same 
time,  subsuming  terms  are  deleted.  When  no  new  terms  can  be  added  that  do  not 
subsume  existing  terms,  the  set  of  prime  implicants  has  been  obtained. 

Consider,  for  example,  the  formula  F  given  by 

F  =  prs  V  pqrs  V  pqrs 

Resolving  prs  and  pqrs  gives  rise  to  pqr .  Because  pqrs  subsumes  pqr ,  the 
former  can  be  deleted.  Next,  by  resolving  prs  with  pqrs,  one  obtains  qrs; 
pqr3  can  thus  be  deleted.  Because  no  more  terms  can  be  added  or  deleted,  the 
remaining  terms,  prs,  pqr,  and  qrs,  are  the  prime  implicants  of  F. 

r 

Once  the  prime  implicants  of  a  formula  have  been  found,  a  simplest  d.n.f. 
expression  can  be  obtained  by  determining  a  simplest  subset  of  prime 
implicants  whose  disjunction  is  implied  by  the  formula.  Note  that  simplest 
disjunctions  need  not  be  unique;  frequently  several  different  combinations  of 
prime  implicants  .give  rise  to  simplest  equivalents.  To  discover  these 
combinations,  it  is  useful  to  classify  the  prime  implicants  into  three 
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categories : 

-  Core  implicants  are  those  that  must  appear  in  any  such  combination. 

If  a  given  implicant  does  not  imply  the  disjunction  of  all  other 
implicants,  it  must  be  a  memher  of  the  core. 

-  Absolutely  el imlnable  implicants  are  those  that  imply  the 
disjunction  of  the  core  implicants,  and  so  can  be  ignored. 

-  El iminable  implicants  are  those  that  are  neither  core  nor  absolutely 
eliminable. 

The  various  simplest  equivalents  differ  only  in  their  selection  of  eliminable 
implicants . 


The  most  straightforward  method  of  finding  these  equivalents  involves 
constructing  a  table  T  whose  rows  are  labeled  by  prime  implicants  and  whose 
colunns  are  labeled  by  the  terms  in  the  perfectly  developed  d.n.f.  (In  the 
perfectly  developed  d.n.f.,  each  letter  atom  occurs  (either  signed  or 
unsigned)  in  each  term  of  the  formula  to  be  simplified.)  A  '  1  *  is  placed  at 
T(t,u)  if  the  prime  implicant  t  is  subsumed  by  term  u,  and  a  'O'  otherwise. 

The  core  implicants  are  easily  identified  as  those  subsumed  by  at  least  one 
term  that  subsumes  no  other  implicant;  absolutely  eliminable  implicants  are 
those  subsumed  only  by  terms  that  subsume  at  lea3t  one  core  implicant.  All 
rows  labeled  by  core  and  absolutely  eliminable  implicants  are  then  canceled 
(deleted  from  the  table)  ,  as  well  as  all  columns  labeled  by  terms  that  subsune 
core  implicants,  The  sub3et3  of  remaining  implicants  sufficient  to  cover  the 
reraining  columns  are  then  enunerated  exhaustively  and  a  simplest  one  is 
selected  . 


Our  procedure  for  simplifying  interpreted  expressions  depends  on  an 
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elaboration  of  the  method  just  described  that  can  handle  so-called 
"don't-care"  conditions.  In  the  application  of  minimization  techniques  to 
digital  design  it  is  sometimes  useful  to  exploit  situations  in  which  certain 
assignments  to  the  variables  of  an  expression  to  be  simplified  are  not 
actually  realized.  For  such  assignments,  the  value  of  the  simplified 
expression  can  be  arbitrary.  As  one  might  expect,  greater  simplification  can 
often  be  obtained  if  one  relaxes  tne  requirement  that  the  simplified 
expression  be  equivalent  to  the  original,  so  as  to  necessitate  equivalence 
only  for  assignments  other  than  the  don't-cares. 

The  treatment  of  don't-care  conditions  requires  two  slight  modifications  of 
the  basic  method.  First,  for  purposes  of  generating  prime  implicants,  the 
d.n.f.  form  of  the  formula  to  be  simplified  is  augmented  by  disjoining  to  it  a 
term  for  each  don't-care  condition.  If,  for  example,  p=T,  q=F,  r=T  is  a 
don't-care  input,  the  term  pqr  is  added.  Second,  the  terms  in  the  perfectly 
developed  d.n.f.  that  imply  don't-care  conditions  are  omitted  from  the 
prime-implicant  matrix. 

Suppose  it  is  wished,  for  example,  to  simplify  the  formula  Fi  p  V  qr  with 
respect  to  don't-care  conditions  {psF,  q=T,  r=F}  and  {p=T,  q=F,  r=T}  .  We 
first  find  the  prime  implicant3  of  the  augmented  formula 
p  V  qr  V  pqr  V  pqr.  Using  the  method  of  iterated  consensus,  pqr  can  be 
eliminated  immediately  because  it  is  subsumes  p.  Resolving  p  against  pqr,  qr 
is  obtained.  Since  pqr  subsumes  qr,  pqr  can  now  be  eliminated.  Resolving  qr 
against  qr  yields  q,  which  permits  the  elimination  of  both  qr  and  qr .  We  are 
therefore  left  with  the  prime  implicants  p  and  q.  The  prime  implicant  table 
will  contain  rows  for  p  and  q  and  columns  for  all  the  terms  in  the 


perfectly-developed  d.n.f.  for  F  ( namely,  pqr ,  pqr,  pqr,  pqr,  pqr)  other  than 
the  don't-care  term  pqr.  It  is  easy  to  verify  that  both  p  and  q  are  core 
implicants  (q  is  subsumed  by  pqr  and  p  by  the  remaining  terms) ,  hence  the 
simplified  form  is  just  p  V  q. 

Our  application  of  this  method  to  the  problem  of  simplifying  interpreted 
expressions  is  predicated  on  the  use  of  don't-care  conditions  to  encode  the 
semantics  of  the  terms  appearing  in  the  expressions.  The  basic  idea  is  to 
treat  the  interpreted  formula  to  be  simplified  as  if  it  were  purely 
propositional  (i.e.,  as  if  interpreted  terms  were  actually  uninterpreted), 
except  that  all  unsatisf iable  (with  respect  to  the  interpreted  semantics) 
conjunctions  of  literals  with  atoms  occurring  in  the  formula  are  treated  as 
don't-cares. 

The  procedure  is  easily  understood  in  the  context  of  a  small  example. 

Suppose,  then,  that  the  formula  F  to  be  simplified  is  just 

x<y  V  (z>0  A  x+2z-y>3)  , 

where  all  variables  range  over  nonnegative  integers. 

If  we  let  p,  q,  r  denote  the  atoms  x<y,  z>0,  and  x+2z-y>3,  respectively,  F  can 
be  written  p  V  qr . 

Now  consider  the  eight  possible  assignments  of  truth  values  to  p,  q,  r:  pqr, 
pqr,  pqr,...,  pqr.  If  each  term  were  submitted  to  a  refutation  procedure  for 
quantifier-free  Presburger  arithmetic,  it  would  be  found  that  all  assignments 
other  than  pqr  and  pqr  are  satisfiable.  The  question  of  simplifying  F  thus 
becomes  that  of  finding  the  simplest  propositional  equivalent  of  p  V  qr 
subject  to  the  don't-care  conditions  pqr  arid  pqr.  Having  solved  this  problem 
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in  the  propositional  example  above,  we  may  conclude  that  p  V  a,  i.e.,  x<y  V 
z>0,  * s  a  simplest  equivalent.  (Note,  incidentally,  that  since  p  and  q  are 
core  *mplicant3,  the  fact  that  p  V  q  is  simplest  does  not  depend  on  the 
simplicity  measure.) 

The  standard  method  may  be  summarized  as  follows: 

1.  Let  A  be  the  set  of  atoms  occurring  in  the  formula  F  to  be 
simplified,  and  let  T  be  the  set  of  terms  representing  the  2'A' 
truth  assignments  to  A.  Using  a  refutation  procedure  for  the  theory 
in  question,  determine  the  unsatisfiable  subset  U  of  T. 

2.  Using  the  method  of  prime  implieant3,  find  a  simplest  (with  respect 
to  the  desired  reasonable  measure)  formula  that  is 
truth-functionally  equivalent  to  F  modulo  the  don't-care  set  U. 

Our  proof  that  the  standard  method  does  indeed  produce  a  simplest  semantic 
equivalent  for  F  among  all  formulas  with  atoms  in  A  requires  a  few 
definitions. 

In  the  following,  we  will  assume  that  F  and  F'  are  both  quantifier-free 

formulas  in  a  first-order  theory  Th ,  that  as  before,  A  is  the  set  of  atoms 

occurring  in  F,  and  that  the  atoms  of  F'  are  contained  in  A. 

Defn.  If  S  is  a  set  of  truth  assignments  to  A,  we  say  that  F  and  F' 

are  truth-f unctionall y  equivalent  with  respect  to  S  if  F  »  F1 
evaluates  to  true  for  each  truth  assignment  in  S. 

Defn.  The  full  term  of  a  truth  assignment  m  to  A  is  a  conjunction  of 

literals,  one  for  each  atom  in  A,  such  that  each  atom  true  in 
m  occurs  positively,  and  each  atom  that  is  false  in  m  occurs 
negativel y. 

Defn .  A  truth-assignment  to  A  i s  semantically  consistent  if  the 

corresponding  full  term  is  satisfiable  in  Th. 

Claim.  F  and  F' ,  are  equivalent  in  Th  iff  they  are  truth-functionally 

equivalent  with  respect  to  the  set  of  semantically  consistent 
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truth  assignments  to  A. 

Pf.  s>  Suppose  F  and  F*  are  equivalent  in  Th.  Let  m  be  any 
semantically  consistent  truth  assignment.  Since  m  is 
semantically  consistent,  its  corresponding  full  term  is  true 
in  some  model  I  of  Th.  Since  each  literal  of  F  a  F'  is 
assigned  the  same  value  by  I  as  it  is  by  m,  F  a  F'  must  have 
the  same  value  in  I  as  it  does  in  m.  Since  F  a  F1  is  valid  in 
Th,  it  is  true  in  I,  hence  in  m. 

<=  Suppose  F  and  F'  are  not  equivalent  in  Th.  Then  F  a  F*  must 
be  false  in  some  model  I  of  Th.  Let  m  be  the  truth  assignment 
that  gives  each  atom  of  A  the  value  given  it  by  I.  I  satisfies 
the  full  term  corresponding  to  m,  so  n  is  semantically 
consistent.  Since  m  gives  each  atom  of  A  the  same  value  as  I, 
F  a  F*  is  false  iu  m,  hence  F  and  F'  are  not 
truth- functional ly  equivalent  with  respect  to  the  set  of 
consistent  truth  assignments  of  A. 

Q.E.D. 

It  follows  as  a  corol1  „<-y  .  khe  claim  that  among  all  quantifier-free  formulas 
of  Th  with  atoms  in  A,  a  simplest  equivalent  to  F,  according  to  any  measure, 
must  be  a  simplest  truth- functional  equivalent  to  F  with  respect  to  the  set  of 
semantically  consistent  truth  assignments  to  A.  The  correctness  of  the 
standard  procedure  follows  immediately,  once  it  is  observed  that  ( i)  the 
don't-care  procedure  finds  a  simplest  truth-functional  equivalent  with  respect 
to  the  complement  (in  the  spare  of  all  assignments  to  A)  of  the  given 
don't-care  set,  and  ( ii)  the  complement  of  the  don't-care  set,  in  the  standard 
procedure,  is  the  set  of  semantically  consistent  truth  assignments. 

3.  The  Modified  Procedure 

Because  the  problem  solved  embeds  the  satisfiability  question  for 
propositional  formulas,  any  version  of  the  procedure  requires  (at  least) 
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exponential  time  in  input  formula  length  in  the  wor3t  case  (based  on 
present-day  knowledge)  .  This  section  details  refinements  of  the  standard 
procedure,  however,  that  improve  performance  greatly  in  many  situations.  The 
standard  procedure  may  nevertheless  be  preferable  when  there  is  a  substantial 
number  of  multiple  occurrences  of  atoms  of  F. 

Our  measure  of  effort  will  be  taken  as  the  number  of  calls  to  the  refutation 
procedure.  That  this  is  the  best  measure  is  arguable  since  some  refutation 
procedures  can  be  so  quick  as  to  have  the  boolean  manipulation  dominate  the 
cost.  However,  our  methods  are  independent  of  the  refutation  procedure  used 
and  most  such  procedures  require  a  significant  interval  of  time  per  call 
(which  may  be  only  a  second,  but  is  nevertheless  significant  when  hundreds  of 
calls  are  made).  Moreover,  except  for  the  iterated  consensus  (resolution) 
section,  total  effort  is  proportional  to  the  number  of  calls. 

The  greatest  potential  for  performance  gain  follows  from  the  requirement  of 

the  standard  procedure  that  all  conjunctions  to  be  processed  must  be  evaluated 

by  the  refutation  procedure  before  serious  boolean  processing  begins. 

Although  we  improve  the  " worst-case"  situation  somewhat  (worst-case  with 

respect  to  the  various  chances  that  simplification  may  occur),  we  greatly 

»‘ 

improve  the  cost  of  processing  a  typical  formula,  especially  when  no 
simplification  does  occur.  We  are  left  at  least  with  the  situation  that  high 
cost  is  associated  with  definite  gain.  . 

For  purposes  of  explanation,  it  is  convenient  to  consider  the  standard 
procedure  as  consisting  of  two  phases:  in  Phase  1,  the  unsatisfiable  truth 
assignments  are  determined  and  the  prime  implicants  of  the  formula  augmented 
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by  don't-care  terms  are  generated;  in  Phase  2,  the  prime-implicarc  table  is-- 
created  and  a  simplest  set  of  implioanta  implied  by  the  original  formula  is 
ohosen.  The  improved  procedure  refines  both  of  these  phases. 

lhe  main  improvement  to  Phase  1  turns  upon  the  observation  that  it  is 
unnecessary  to  test  all  truth  assignments  for  satisfiability.  In  partioular, 
the  assignments  that  subsume  terms  of  the  original  formula  need  not  be  tested, 
since  these  assignments  would  be  discarded  in  the  iterated  consensus  procedure 
anyway.  In  our  earlier  example,  for  instance,  five  of  the  eight  assignments 
(namely  pqr,  pqr ,  pqr,  pqr,  and  pqr)  subsume  either  p  or  qr,  leaving  only 
three  (pqr,  pqr,  pqr)  to  be  submitted  to  the  refutation  procedure. 

Described  in  Section  5  is  another  refinement  of  Phase  1  that  further  lowers 
the  required  nunber  of  calls  to  the  procedure,  but  at  the  cost  of  possibly 
missing  significant  simplifications. 

The  improved  Phase  2  procedure  is  equivalent  to  the  standard  one,  but  is 
substantially  more  efficient  in  most  cases.  It  appears  not  to  have  been 
considered  for  boolean  minimization  because  "don1 t-ccre"  conditions  are 
traditionally  given  rather  than  computed. 

The  procedure  is  defined  using  an  auxiliary  predicate  P(X,Y),  where  X  and  Y 
are  sets  of  terms.  Letting  Y={t1 ,t2. . -t^) ,  P(X,Y)  is  computed  by  enunerating 
all  term e  of  the  form 

C  A  L  ^  A  ...  /\  , 

where  C  is  the  conjunction  of  all  terms  in  X  and  each  is  the  complement  of 
some  literal  in  t^.  The  enumerated  terms  are  tested  one  by  one  for 
satisfiability.  P  returns  "true"  if  one  is  found  to  be  satisfiable,  and 
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returns  "false"  otherwise.  The  Key  property  of  P  is  that  P(X,Y)sfalse  iff 
C  5  t,  V  tj  V  ...  v  tk. 

If  for  example,  X*{a,bc)  and  YMode.gh),  the  terms  abccg,  abcch,  abcdg,  abodh, 
abceg,  abeeh  are  enunerated .  Note  that  the  first  two  of  these  are 
syntactically  unsatisfiable,  and  so  do  not  require  calls  to  the  refutation 
procedure.  If  it  were  found,  for  instance,  that  abcdg  is  satisfiable,  the 
evaluation  could  terminate  after  this  one  call,  returning  "true." 

The  improved  Phase  2  procedure  is  as  follows.  Let  I  be  the  set  of  prime 
implicants  computed  by  Phase  1,  and  let  I*  be  obtained  by  deleting  from  I  all 
of  its  unsatisfiable  members.  (Computing  I*  from  I  thus  requires  applying  the 
refutation  procedure  to  each  member.)  A  modified  prime-implicant  table  T^  is 
now  constructed  whose  rows  are  labeled  with  members  of  I*  and  whose  columns 
are  labeled  by  sets  of  terms.  The  colunns  are  created  dynamically  in  the 
following  way; 

1.  Initialize  the  table  by  creating  a  colunn  for  each  term  in  I',  with 
the  singleton  set  of  that  term  as  label. 

2.  Fill  in  each  new  colunn  as  follows.  If  P(X,I'-X)  evaluates  to 
false,  where  X  is  the  set  labeling  the  colunn  to  be  filled  in, 
enter  in  each  row  position  (indicating  a  cancelled  colunn).  •• 
Otherwise,  for  the  row  labeled  by  implicant  u,  enter  *1'  if  u  6  X 
and  'O'  if  u  X. 

3.  For  each  two  cancelled  columns  with  labels  X1 ,  X2,  create  a  new 
colunn,  if  one  does  not  already  exist,  labeled  by  X1  U  X2. 

4.  Repeat  Steps  (2)  and  (3)  until  no  new  colunns  can  be  added. 

5.  Select  prime  implicants  to  define  a  simplest  equivalent  to  F  as  in 
the  standard  procedure— -i  .e . ,  choose  a  simplest  set  S  of  prime 
implicants  such  that  for  every  uncancelled  colunn  X,  there  exists 


an  s  ®  S  such  that  Tm(s,X)*1. 

Wt  illustrate  the  modified  procedure  with  the  earlier  example: 

F  a  a  V  bo  V  de 

where 

a:  yiz 
b:  x<y 
c :  x+y<0 
d:  x<T 
e:  fzify+i 

Phase  1 . 

The  truth  assignments  not  subsuming  terms  in  F  are  abode,  abode,  abode,  abode 
abode,  abode,  abode,  abode,  and  abode.  Of  these  nine,  all  but  abode,  abode, 
and  abode  are  found  by  a  refutation  procedure  to  be  unsatisfiable.  The 
iterated-consensus  process  is  applied  to  t  augmented  by  the  six  "don't-cares" 
to  obtain  the  set  I  =  (a,  bo,  d,  e)  of  prime  implicants. 

Phase  2. 

Each  member  of  Z  is  tested  and  found  satisfiable,  so  I'  s  I.  The  modified 
table  Tm  is  initialized  with  rows  and  columns  labeled  by  members  of  I*.  Step 
(2)  and  (3)  of  the  Phase  2  procedure  are  now  applied  repeatedly  to  form  the 


table  shown  below. 


I 


I 
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M 

M 

w 

|5| 

|bc,J| 

a 

1 

A 

0 

* 

A 

be 

0 

* 

0 

* 

d 

0 

A 

1 

* 

A 

e 

0 

* 

0 

A 

A 

Justification  for  the  table  is  summarized  below: 

1.  Initialize,  creating  columns  labeled  (a),  {be),  {d) ,  {e} 

2.  Fill  in  columns: 

Column{a): 

P( (a) ,  {be ,  d ,  e) : 

conjunction  tested:  abde  sat isfi able 

*  true 

Fill  in  standard  way 


Colunn{bc) 

PUbc) ,  {a,  d,  e}) 


conjunction  tested:  bcade  unsatisfiable 


/I 

Colunntd}: 

P( {d) ,  (a,  bo ,  el) : 

conjunction  tested:  debe  sstisfieble 
*  true 

Fill  in  standard  way 

Colunn  { e) : 

P( la) ,  (a,  be,  dl) 

conjunctions  tested:  eabd  unsatisfiable 

eacd  unsatisfiable 

»  false 

oancel  col  non 

3,  Create  new  column  labeled  {bc,e} 

2.  (Repeated).  Fill  in  new  oolunns: 

Column  (be,  el 
PUbo,  el,  (a,  d}) 

conjunction  tested:  bcead  unsatisfiable 
=  false 

cancel  column 

3.  (Repeated).  No  new  columns 

5.  Core  implicants  a,d  cover  all  unoanceled  columns. 

The  simplified  form  is  thus  a  V  d,  i.e.,  F  s  yiz  V  x=1. 

»* 

(Note  that  here  only  19  calls  to  the  refutation  procedure  were  required,  as 
against  32  for  the  standard  procedure.) 

The  correctness  of  the  modified  phase  2  procedure  is  established  by  the 
following  theorem. 

Theorem  The  standard  and  modified  procedures  yield  the  same  minimal 

formulae. 
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pi  Because  don't-care  terms  cannot  label  columns  of  tne  table 

created  in  the  standard  procedure,  any  row  of  that  table 
headed  by  an  unsatisfiable  implicant  must  contain  only  zeroes, 
and  so  cannot  participate  in  an  implicant  selection.  Letting 
Tg  denote  the  table  obtained  by  omitting  such  rows,  it  thus 
suffices  to  show  that  T3  and  Tm  (the  table  generated  in  the 
modified  procedure)  yield  the  same  implicant  selections. 

Note  that  the  rows  of  both  Ts  and  Tm  are  labeled  with  the 
members  of  the  satisfiable  subset  I'  of  implicant3  generated 
in  phase  1.  We  will  assume  without  loss  of  generality  that 
these  implicants  are  assigned  to  rows  in  the  same  order  for 
the  two  tables. 

Let  Ts  be  the  table  obtained  from  T3  by  removing  any  column  v 
for  which  there  is  another  column  v'  with  fewer  l's  and  such 
that  v  has  a  1  in  every  row  position  that  v'  does.  We  claim 
that  it  is  enough  to  show  that  V(TS*)  &  V(Tm) ,  and 
V(Tm)  €  V(TS) ,  where  V(T)  denotes  the  set  of  uncanceled  column 
vectors  of  table  T.  To  see  this,  note  that  a  prime  implicant 
selection  need  only  meet  the  condition  that  every  uncancelled 
column  vector  have  a  1  in  some  row  labeled  by  a  selected 
implicant.  Any  implicant  selection  that  satisfies  this 
condition  for  T»  must,  from  V(T  *)  £  V(Tm)  ,  satisfy  it  for 
Ts  ,  and  hence  for  Ts .  Conversely,  any  selection  that 
satisfies  the  condition  for  Tg  must,  from  V(Tm)  £,  V(Tg) , 
satisfy  it  for  Tm. 

i* 

To  show  that  V(T_)  £  V(T_) ,  let  v  be  an  arbitrary  column 
vector  in  V(Tm)  and  suppose  v  occurs  in  Tm  with  label  X.  Let  t 
be  the  conjunction  of  terms  in  X.  Since  P(X,I'-X)  is  true, 
there  exists  a  satisfiable  conjunction  C  subsuming  t  with  the 
complement  of  (at  least)  one  literal  from  each  term  in  I'-X. 
Let  be  the  atoms  of  F  missing  from  C.  The 

conjunction  C  A  (A1  V  A^)  A  (A2  V  A2)  A  ...  A  (Ak  V  Ak) 
is  satisfiable ,  so  at  least  one  term  u  in  its  disjunctive 
expansion  must  be  satisfiable.  Because  u  is  a  full  term  that 
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subsumes  a  conjunction  of  implicants  of  F,  u  must  occur  in  the 
perfectly-developed  d.n.f.  of  F.  The  vector  labeled  by  u  in 
Tg,  moreover,  must  be  v,  giving  v-6  V(Tg)  as  required. 

For  V(Tg*)  £  V(Tm)  ,  let  v  be  a  column  vector  in  V(Tg*) ,  and 
suppose  v  occurs  in  Tg*  with  label  t.  Let  X  be  the  set  of 
implicants  in  I'  that  are  subsumed  by  t.  Because  t  is  a  full 
term,  each  implicant  of  I'  not  in  X  must  have  a  literal  whose 
complement  occurs  in  t.  Let  C  be  the  conjunction  of  all 
literals  in  X,  and  for  each  implicant  s  not  in  X,  at  least  one 
literal  of  t  whose  complement  occurs  in  s.  C  must  be 
satisfiable  because  t  is.  Since  C  is  a  conjunction  tested  by 
P(X,  I'  -X),  P(X,  I*  -  X)  must  therefore  be  true.  Thus  if  X 
labels  a  column  in  Tm,  that  column  must  be  uncancelled,  hence 
v  a  column  vector. 

It  suffices  to  show,  then,  that  X  does  indeed  label  a  column 
of  Tm.  So  suppose  not.  Then  there  exists  a  proper  subset  Y 
of  X  that  labels  an  uncancelled  column  of  Tm  with  Ts  in  only 
some  of  the  rows  in  which  v  has  1'3.  Since  V(Tm)  £  V(Tg)  , 
this  vector  also  occurs  in  Tg.  But  then  v  could  not  occur  in 
T3* ,  giving  a  contradiction. 

Q.E.D. 


4.  Complexity  Issues 


While  it  is  difficult  to  obtain  quantitative  measures  of  the  improvement 
afforded  by  the  modified  procedure,  some  calculations  can  be  made  under.- 
certain  simplifying  assumptions.  Our  analysis  will  consider  that  the  formula 
F  to  be  simplified  has  n  terms,  each  with  m  literals,  and  that  no  atoms  in  F 
have  multiple  occurrences. 


For  the  standard  procedure,  exactly  2^n  calls  to  the  refutation  procedure  are 
made  in  Phase  1  and,  of  course,  none  are  made  in  Phase  2. 
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For  the  modified  procedure,  calls  are  made  in  both  phases.  In  Phase  1,  a  call 
is  made  for  each  truth  assignment  (to  the  mn  atoms  of  F)  that  does  not  subsume 
a  term  of  F.  Each  truth  assignment  may  be  viewed  as  a  choice,  for  each  term, 
of  one  of  2”1  assignments  to  the  atoms  of  that  term.  Because  all  but  one  of 
these  2™  assigrments  are  permissible,  a  total  of  (2m-1)n  calls  is  made  in 
Phase  1 . 

The  number  of  calls  made  in  Phase  2  depends  on  the  set  I  of  prime  implicants 
discovered  in  the  first  phase.  To  obtain  a  rough  idea  of  Phase  2  behavior, 
let  us  assume  I  contains  p  implicants,  each  with  q  literals,  and  that  p<n, 
qOn.  (We  have  found  this  assumption  to  be  valid  in  practice.) 

Phase  2  first  requires  that  each  of  the  p  implicants  be  tested  for 
satisfiability.  The  remainder  of  Phase  2  may  require  zero  calls  (if  all  prime 
implicants  are  unsatisfiable) .  Assuming  that  p  prime  implicants  are 
satisfiable,  we  may  need  as  few  as  p  more  calls  (if  all  tested  conjunctions 
are  satisfiable)  or  as  many  as  (q+i)P-l  more  calls  (if  all  tested  conjunctions 
are  unsatisfiable) .  The  lower  bound  holds  because  for  each  singleton  set  X, 
P(X,I'-X)  will  return  "true”  after  one  call  and  Step  3  provides  no  new  columns 
beyond  the  p  initial  colunns.  Thus,  a  total  of  p  calls  is  made.  The  upper 
bound  holds  because  each  conjunction  tested  contains  for  each  of  the  p'  prime 
implicants  either  the  prime  implicant  itself  or  the  complement  of  one  of  the  q 
literals  of  the  implicant.  In  the  one  unrealizable  case,  no  prime  implicant 
occurs- in  the  conjunction.  Using  p<n,  q£m,  we  have  a  worst-case  bound  of 
(m+1)n-1,  and  a  best-case  bound  of  2n. 

It  is  worth  noting  that  the  total  worst-case  cost  for  the  modified  procedure 
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is  almost  always  less  than  that  for  the  standard  procedure  ((2m-1)n+n+(m+1)n*-1 
versus  2®°)  for  reasonable  m  and  n.  However,  the  primary  value  of  the  modified 
procedure  is  that  often  m  is  small  enough  (typically  averaging  about  1.5)  30 
that  Phase  1  cost  is  moderate.  Moreover,  a  general  mix  of  candidate  formulas 
includes  many  that  are  not  simplifiable  and  with  the  cost  of  Phase  2  close  to 
2n. 

5.  An  Example 

This  section  gives  a  sunmary  of  a  less  trivial  example.  The  example 
illustrates  that  quite  striking  reductions  can  be  obtained  in  innocent-looking 
formulas . 

Consider 

F  a  y>max(2,z)  V  y>1+z  V  (y^O  A  y<-1) 

V  (yj*0  A  y4z)  V  ysO  V  (z*l  A  y^i) 

Phase  1:  Use  of  modified  procedure  requires  3  calls,  and  results 
in  prime-implicant  set: 

(y>max(2,z) ,  y>1+z,  y=0,  y<-1,  yiz,  zil,  yil} 

Phase  2:  Modified  procedure  requires  63  calls. 

Result:  F  £  zi\  V  yil 

»' 

The  standard  procedure  requires  128  calls. 

To  balance  this  example,  we  consider  two  formulas  with  similar  structure  to  F, 
but  where  little  simplification  occurs.  The  letters  A,  B,  ...  represent 
semantically  unrelated  atoms. 

F1  a  A  V  B  V  (C  A  D)  V  (C  A  E)  V  C  V  (G  A  H) 

(which  simplifies  to  F,  i  A  V  BV  D  V  EV  CV  (GA  H)) 
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F2  s  A  V  B  V  :c  A  )D  V  (W  A  E)  V  Z  V  (G  A  H) 

F.j  produces  3  Phase  1  calls  and  12  Phase  2  calls.  Fg  produces  27  phase  1 
calls  and  12  Phase  2  calls.  The  standard  procedure  requires  128  and  512  call 3 
,  respectively. 

6.  Phase  Alternative 

We  conclude  with  a  description  of  an  alternative  phase  1  procedure.  i:;e  need 
for  improvement  relative  to  the  procedures  desci  ibed  earlier  is  3trcng  when 
there  are  numerous  multiliteral  terms.  Although  the  worst-case  cost  is  little 
improved,  we  again  are  able  to  reduce  costs  when  few  conjunctions  of  literals 
of  the  given  formula  F  are  unsatisfiable . 

The  reduction  is  obtained  at  the  tradeoff  of  the  guarantee  of  finding  all 

prime  implicants  —  the  alternative  procedure  detects  only  prime  implicants 

that  are  subterms  of  terms  of  F.  This  tradeoff  is  more  favorable  than  it  might 

at  first  seem,  since  proper  subterm  implicants  have  the  advantage  of 

guaranteeing  simplification.  Moreover,  non3ubterm  conjunctions  of  literals 

with  atoms  in  F  are  more  rarely  prime  implicants,  and  are  especially  less 

likely  to  appear  in  the  final  simplified  formula.  A  nonsubtenn  Implicant  must 

»* 

be  implied  by  some  other  implicant  in  order  to  appear  in  the  final 
simplification.  This  rather  strong  constraint  is  automatically  satisfied  by 
subterm  implicants. 

The  alternative  procedure  is  carried  out  ' n  two  stages.  First,  iterated 
consensus  is  applied  to  F  as  before,  but  without  first  computing  and  adding  in 
don't-care  terms.  Terms  in  the  resulting  set  of  implicants  that  are  not 
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subterms  of  terms  in  F  are  discarded.  (Alternatively,  but  not  necessarily  . 
equivalently,  one  could  modify  iterated  consensus  to  disallow  resolvents  other 
than  subterms  of  terms  in  F.  This  would  tend  to  reduce  the  cost  of  the  first 
stage  at  the  expense  of  the  second  stage,  and  might  be  preferable  in  certain 
instances .) 

In  the  second  stage,  each  subterm  implicant  is  tested  for  primeness.  An 
implicant  t  is  tested  by  determining,  in  a  manner  described  momentarily, 
whether  it  has  a  subterm  (i.e.,  a  sub term  with  one  fewer  literal)  that  is  also 
an  implicant.  If  not,  t  is  prime,  and  so  is  included  in  the  output  of  phase 
1.  Otherwise,  t  is  discarded  in  favor  of  its  subterm  implicants,  which  are 
themselves  tested  for  primeness.  Proceeding  depth-first,  one  has  the  option 
of  discontinuing  subterm  checking  if  a  desirable  sub term  implicant  (such  a3  a 
unit)  is  determined. 

The  key  aspect  of  the  alternative  procedure  is  the  use  of  the  P  predicate 
described  earlier  to  determine  quickly  whether  a  given  subterm  of  a  subterm 
implicant  t  is  also  an  implicant.  Letting  l^lg.-.l^  denote  the  literals  of 
t,  and  11  ,l2».*ljc_i  the  literals  of  the  subterm  in  question,  the  determination 

—  A  A 

is  made  by  computing  P( {1 1 ,  l2....l|<_1,  lk)  ,  F  -  { u} )  ,  where  F  is  the  set  of 
terms  of  F  and  u  is  the  term  of  F  (or  one  of  possibly  several)  of  which  t  is  a 
subterm.  As  we  will  show  P  computes  to  false  if  and  only  if  the  subterm  is  an 
implicant . 

For  illustration,  consider  the  earlier  example  formula  F  •  a  V  be  V  de,. 

where 

a:  y  i  z 

b:  x  <  y 

c :  x  +  y  <  0 

d:  x  <  1  ~ 

e :  fz  i  fy  +  1 
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In  this  example,  the  iterated  consensus  stage  has  no  effect,  leaving  the  terms 
of  F  as  the  set  of  implicants  to  be  tested.  The  unit  literal  a  has  no 
sub terms  and  so  is  prime.  It  remains  to  test  be  and  de: 

P(bc,  {a,de}): 

conjunction  tested:  bead  satisfiable 
=  true 

P(bc,  {a,  de}) : 

conjunction  tested:  bead  satisfiable 
=  true 
be  is  prime 
P(de,  {a,  be}): 

conjunctions  tested:  deab  unsatisfiable 

deac  unsatisfiable 

a  fal  se 
P(de,  {a,  be}) : 

conjunction  tested:  deab  satisfiable 
a  true 

”  d  is  a  prime  implicant,  de  and  e  are  not. 
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We  have,  then,  that  a,  be,  and  d  are  prime  implicants.  The  implicant  is  not 
found;  however,  e  does  not  appear  in  the  final  simplified  formula,  which  is 
a  V  d.  Note  that  five  calls  to  the  refutation  procedure  are  made,  as  compared 
with  nine  calls  by  the  modified  procedure. 


i  4 

I  1 
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The  use  of  the  P  predicate  is  justified  in  the  following  lemma. 

Lemma  Suppose  u  =  l^lg.-.l^  is  a  term  of  F  and  t  =  lil2...lr,  2  <  r 

_<  k,  is  an  implicant  of  F.  .Then  1 1  A  ...lr_1  is  also  an 
implicant  of  F  iff  P(  {1  jl2. .  ,lr_1 ,1  r }  ,  F  -  { u} )  s  false. 
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Pf  •  *>  If  P(  U jig.  •  *Ir_i  ,lr)  •  F  -  {u})  is  true,  then  there  is  a 

satisfiable  conjunction  lr..lr-1T^u(1)...Tu(i)...lu(n)  , 
where  lu^  is  a  literal  in  term  u(i)  of  F,  with  term  u 
omitted  from  the  indexing.  But  sinoe  lr  is  a  literal  of  u, 
every  term  of  F  is  falsified  so  1 1  A  lg  A  ...  A  lr_^»  F  does 
not  hold,  contrary  to  assumption. 

<s  If  1  .j  A  ...  A  lr_1  is  not  an  implicant,  there  is  an 

interpretation  of  F  verifying  l1,...,lr_1  but  falsifying  at 
least  one  literal  lu^  of  each  term  u(  i)  of  F.  But  since  t  is 
an  implicant,  so  that  11  A  ...  A  1»F,  l  must  be  falsified 
in  this  interpretation.  But  then  1 1 , . .lrlrl t( i) • • ,lfc( n)  i3 
satisfiable,  contradicting  P( {11 ,12. . .lr-1 ,lr) ,  F  -  lu})  = 
fal  se . 

Q.E.D. 

To  obtain  3ome  general  measure  of  the  improvement  afforded  by  the  alternative 
phase  1,  we  again  count  calls  to  the  refutation  decision  procedure,  and 
consider  formulas  with  n  terms  of  m  literals  each,  with  every  atom  having  a 
unique  occurrence  in  F. 

When  all  conjunctions  are  satisfiable  only  one  conjunction  is  tested  for  each 

of  the  m  subterms  for  a  cost  of  nm.  If  all  conjunctions  are  unsatisfiable  up 

to  2m-2  subterms  can  be  tested  for  each  term,  each  checking  mn-1  conjunctions 

for  a  total  of  n(2m-2)mn~1  calls,  (although  in  this  case  a  depth-first  search 

»• 

would  hold  the  cost  to  m11.)  A  more  useful  observation  is  that  finding  one  new 
subterm  prime  implicant  costs  m1’1”1  calls. 

We  emphasize  again  that  while  gains  over  the  modified  phase  1  method  can  be 
appreciable  when  a  number  of  multiliteral  terms  exist  and  little 
simplification  occurs,  this  must  be  weighed  against  the  possibility  of  missed 


prime  implicants  of  value.  The  alternative  procedure  also  has  les3  value  when 


30 


many  mul tipis  occurrences  of  literals  are  found  in  the  given  formula.  To 
expedite  this  case,  each  conjunction  should  be  checked  for  complementary 
literals  before  submission  to  the  decision  procedure. 

It  should  be  clear  that  the  procedure  we  have  described  is  but  one  of  a  number 
of  alternatives.  For  large  formulas  one  may  check  only  small  3Ubterms  (using 

A  A 

P(t.,,  F)  rather  than  P(t1f  F  ♦  {u}),  where  t1  is  a  subterm  of  t,  when 
necessary) .  If  one  wishes  to  consider  all  sub terms  with  complementation  of 
literals  introduced(  so  that  e  would  be  found  as  a  prime  implicant  in  our 
example)  then  testing  should  be  on  conjunctions  t^  each  of  which  contains  all 
1:  arals  of  the  term  t  or  their  compliments.  Resolution  is  then  employed  on 
the  conjunctions  seen  to  be  implicants.  The  worst-case  cost  of  n(2m-1)mn“1  is 
only  3lightly  worse  than  for  subterm  testing  alone,  but  often  all  2m-1 

A 

patterns  need  be  tested.  (However,  many  P(t,F  -  {t})  may  test  as  few  as  one 
conjunction .) 

Truly  low-cost  maximal  simplification  using  refutation  decision  procedures  is 
unlikely.  However,  we  believe  this  paper  shows  that,  given  the  speed  of  the 
best  existing  refutation  procedures,  simplification  of  expressions  that  occur 
in  practice  is  currently  feasible. 
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Ill  AN  EXPERIMENTAL  PROVER 

In  the  aeoond  year,  muoh  effort  wes  devoted  to  the  development  of  an 
experimental  theorem  prover  with  the  purpose  of  testing  and  refining  the 
theoretioal  results  of  the  project  in  a  practical  setting.  Die  resulting 
verification  system  has  been  used  and  continues  to  be  used  extensively  in  a 
NASA-supported  effort  to  verify  the  correctness  of  a  complex  fault-  tolerant 
operating  system.  Participants  in  this  effort  include  0.  Hare,  Dr.  X.  Levitt, 
P.  M.  Melliar-Smith,  and  Dr.  R.  Schwartz,  all  of  whom  have  been  instrumental 
in  the  development  of  the  prover.  The  use  of  the  system  for  this  effort  has 
been  so  suooessful  that  we  are  currently  seeking  support  for  the  further 
researoh  and  development  needed  to  oreate  a  production  version. 

The  system  consists  of  a  decision  algorithm-based  theorem-prover  for  typed 
predicate  oaloulus,  together  with  a  set  of  environment  support  functions. 
Formulas  in  the  typed  theory  are  constructed  from: 

-  Integer,  real,  rational  and  user-defined  constants 

-  Integer,  real,  rational  and  user-defined  variables 

-  The  propositional  connectives  IMPLIES,  NOT,  AND,  OR,  IFF 

-  The  first-order  connectives  FORALL,  EXISTS 

-  The  three-placed  IF  construction 

-  The  relational  operators  EQUAL,  LESSP,  LESSEQP,  GREATERP,  GREATEREQP 

-  The  arithmetic  operators  PLUS,  TIMES,  MINUS,  DIFFERENCE 

-  Uninterpreted  funotion  symbols  of  INTEGER,  RATIONAL,  and 
user-defined  types 

The  theory  also  includes  a  definitional  facility  that  permits  user-created 
conservative  extensions. 

One  of  the  more  interesting  (and  powerful)  aspects  of  the  theory  over  which 
the  prover  operates  is  the  provision  for  user-defined  types.  This  facility 
permits  the  abstract  data  type  information  associated  with  a  program  that  is 
to  be  verified  to  be  carried  down  to  the  level  of  the  verification  conditions. 
This  information  is  passed  to  the  theorem  prover  through  explicit  type 
declarations  for  variables  and  function  symbols  occuring  in  the  formulas  to  be 
proved.  The  proof  process  includes  a  typechecking  phase  that  verifies  the 
syntactic  correctness  of  the  formula.  Type  information  is  extracted  during 


this  phase,  and  inoorporatad  into  a  TYPE  MODULE  that  tha  thaoram  provar  propar 
subsaquantly  consults  during  tha  proof  prooass. 

It  should  ba  notad  that  whila  tha  languaga  we  hava  dasoribad  is  first-ordar 
(i.e.,  inoludas  quantifiers),  tha  daolsion  prooaduras  that  underly  tha  provar 
oparatad  axolusivaly  on  ground  (unquantifiad)  formulas.  Tha  provar 
automatically  skolamizas  a  quantified  formula  to  obtain  a  ground  formula,  and 
relies  on  tha  user  to  provide  the  neoessary  instantiations  of  tha  quantified 
variables  in  the  resulting  Skolem  form. 

The  provar  has  been  found  to  ba  able  to  prove  remarkably  oomplex  (with  raspaot 
to  syntaotio  measures)  verification  conditions  on  tha  order  of  several 
saoonds.  The  fast  response  is  due  in  large  part  to  a  considerable  amount  of 
experimentation  with  the  meohanism  used  to  prooess  the  propositional 
super-structure  of  the  formula  to  be  proved. 

Perhaps  the  main  lesson  learned  from  this  experimentation  was  that  vast 
changes  in  speed  performance  could  result  from  apparently  minor  "fine  tuning" 
of  this  mechanism.  Because  the  modifications  to  which  performance  was 
sensitive  were  often  extremely  slight,  it  is  difficult  to  draw  conclusions 
about  how  one  should  go  about  treating  propositional  structure  in  general. 
Nevertheless,  a  number  of  ideas  were  developed  that  are  of  general  interest. 
First,  it  was  determined  that  suooess  in  handling  propositional  structure 
depends  on  a  delicate  balanoe  between  simplification  and  proof.  "Proof", 
here,  refers  to  an  attempt  to  reduce  a  formula  or  subformula  to  either  "true" 
or  "false";  failure  of  the  attempt  produoes  no  other  information. 
Simplification,  on  the  other  hand,  may  result  in  reduoing  a  formula  that  can 
be  proved  neither  true  nor  false  to  an  equivalent  formula  that  is  at  least 
syntaotically  more  tractable.  The  utility  of  simplification  as  a  subprocess 
of  proof  is  well  established;  it  proved  to  be  especially  so  in  our  oase, 
because  it  often  obviated  the  case-splitting  that  is  more  often  than  not 
responsible  for  combinatorial  explosion  in  the  reduction  of  propositional 
structure.  As  an  illustration,  consider  the  following  propositional 
expression  E: 

E  =  (AND  P  (OR  (NOT  P)(NOT  Q))(OR  Q  (AND  (NOT  P)(NOT  Q))  R) 

(OR  (NOT  P)  Q  (NOT  R))) 

We  wish  to  reduce  E  to  TRUE  or  FALSE.  Ordinary  case  splitting,  even  when 
preceded  by  recursive  reduction  of  subexpressions  to  TRUE  or  FALSE  when 
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possible,  produots  1x2x3x3*18  oases  (oonjunota)  in  the  disjunctive 
normal  form.  By  recursively  simplifying,  however,  I  can  be  treated  without 
any  oaae-splitting  at  all.  Xn  particular,  simplification  of  the  disjunct  (OR 
(NOT  P)(NOT  Q))  in  the  oontext  of  the  unit  literal  P  produces  a  second  unit 
literal  (NOT  Q).  Simplification  of  the  next  disjunot  in  the  oontext  of  the 
two  unit  literals  P  and  (NOT  Q)  produoes  a  third  unit  literal 
R.  Simplification  of  the  last  disjunot  then  produoes  a  oontrad lotion,  thus 
reduoing  E  to  false. 

Unfortunately,  simplification  is  much  more  time  consuming  than  proof,  because, 
as  illustrated  in  our  example,  the  results  of  each  simplification  must  be 
repeatedly  applied  to  obtain  other  simplifications.  We  found  that  just  the 
right  balanoe  had  to  be  struok  between  simplification  and  proof  in  the 
internal  structure  of  the  propositional  reduction  meohanism  to  obtain  the 
benefits  of  simplification  without  paying  too  dearly  for  the  additional 
analysis  it  requires. 

A  seoond  idea  developed  from  our  experimentation  is  the  utility  of  the 
"FAST. PROVE"  strategy.  FAST. PROVE  is  a  subalgorithm  of  our  propositional 
manipulator  that  attempts  to  reduoe  a  formula  (or  subformula)  without 
permitting  any  oaae-splitting  at  all.  Although  FAST. PROVE  is,  of  oourse, 
incomplete,  it  was  found  to  be  quite  effective  as  a  kind  of  preprocessor;  a 
given  formula  would  be  subjected  to  FAST. PROVE  at  eaoh  level  of  its  tree 
structure  before  any  oase  splitting  would  be  undertaken  at  all.  Onoe  again, 
it  was  discovered  that  a  delioate  balanoe  had  to  be  maintained  in  order  not  to 
waste  too  muoh  time  in  the  oase  where  the  FAST. PROVE  component  was  not 
suooessful.  As  in  the  case  of  simplification,  the  critioality  of  this  balanoe 
is  due  to  the  recursive  structure  of  the  prover  as  a  whole,  which  greatly 
magnifies  the  effect,  for  better  or  worse,  of  any  computation  that  i3  carried 
out  at  each  level  of  the  recursion. 

The  remainder  of  this  section  illustrates  the  operation  of  the  theorem  prover 
on  some  examples.  The  first  series  of  examples  involve  simple  mathematical 
identities,  and  are  included  to  exemplify  operation  of  the  prover.  The  second 
series  is  extracted  from  the  design  proof  of  the  SIFT  operating  system,  and 
was  kindly  furnished  by  Mel liar-Smith  and  Schwartz.  A  partial  listing  of  the 
propositional  simplifier  portion  of  the  prover  is  supplied  in  an  appendix  for 
the  benefit  of  those  interested  in  the  details  of  its  operation.  In  the 
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following,  annotations  in  braokats  art  not  part  of  tha  user-aaohine  dialogua, 
but  wara  inserted  aftar  tha  faot  for  tha  purpoaas  of  axplanation.  Linas 
haadad  by  numbars  show  ooamands  issuad  by  tha  usar. 

2_DSV (NUMBER  X) 

3JDSV(NUMBER  Y) 

4_DSV( NUMBER  Z) 

[In  tha  thraa  DSV  (Daolara  Symbol  Variable)  commands  abova,  tha  usar  daolaraa 
X,  Y,  and  Z  to  ba  numbars  (i.e.,  raala)] 

5_DD( NUMBER  MAX(X  Y)(IF  (LESSP  X  Y)  Y  X)) 

[This  Daolara  Dafinition  command  dafinas  tha  funotion  MAX  that  takas  two 
numbars  as  arguments  and  returns  a  number.  Note  that  tha  IF  oonstruot  that 
provides  tha  dafinition  dafinas  MAX  in  tha  usual  way.] 

6_DF( MAX. COMMUTE  (EQUAL  (MAX  X  Y)(MAX  Y  X))) 

[This  Daolara  Formula  command  assooiatas  tha  name  MAX. COMMUTE  with  tha  given 

formula.  Tha  system  typaohaoks  tha  formula,  and  would  issue  an  error  massage 

if  it  wara  found  to  ba  ill-formed.] 

7_PR (MAX, COMMUTE) 

602  consas 
.7  saoonds 
Proved 

[Tha  usar  now  invokes  the  provar  on  tha  formula  MAX. COMMUTE.  Aftar  .7  CPU 
saoonds,  tha  provar  returns  Proved,  and  indicates  tha  number  LISP  oonsas 
required  by  tha  proof.] 

8_DF( MAX. ASSOC  (EQUAL  (MAX  X  (MAX  Y  Z))(MAX  (MAX  X  Y)  Z))) 

9__PR  ( MAX .  ASSOC ) 

32343  oonsas 
26.05  saoonds 
Proved 

[Tha  IF  struoture  in  tha  definition  of  MAX  produces  a  great  deal  of 
propositional  case-splitting  in  tha  proof  of  this  formula,  aooounting  for  tha 
formidable  diffaranoa  in  proof  times  between  MAX. COMMUTE  and  MAX. ASSOC.] 
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10JDD(  NUMBER  ABS(X)(IF  (LESSP  X  0)  (MINUS  X)  X)) 

[The  funotion  ABS  is  now  defined  in  the  usual  way.] 

11  DF( FORALL. EXISTS  (FORALL  X  (EXISTS  Y  (LESSEQP  X  Y)))) 

12~PR( FORALL. EXISTS) 

Want  instance  for  FORALL. EXISTS?  Y 
Y/  (ABS  X) 

- Proving - 

305  conses 
.25  seconds 
Proved 

[The  system  asks  for  an  instantiation  of  the  existentially  quantified  variable 
Y.  The  user  types  in  the  instance  term  (ABS  X).  The  instance  is  typechecked 
by  the  system  and  substituted  for  the  variable  Y  in  the  Skoleo  form  of  the 
formula  to  be  proved.  The  resulting  ground  formula  is  then  proved  by  the 
underlying  decision  procedure.] 
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We  now  give  as  an  example  of  the  use  of  this  system,  the  proof  of 
the  correspondence  between  the  two  most  abstract  levels  in  the  design  of  the 
SIFT  system  [Sift :Agard] .  This  proof  aims  to  demonstrate  the  validity  of  the 
design  of  SIFT  by 

-  constructing  a  very  abstract  model  of  SIFT,  simple  enough  to  be 
evidently  what  is  required  by  the  users  of  the  system.  This 
description,  in  conventional  mathematical  notation,  is  simple  enough 
to  fit  onto  one  page 

-  developing  a  hieirarchy  of  models  of  increasing  complexity, 
culminating  in  the  imperative  Pascal  program  that  implements  the 
SIFT  executive 

-  demonstrating  that  each  of  the  axioms  of  each  of  these  models  can  be 
proven  as  a  theorem  from  the  axioms  of  the  model  below  it,  though  in 
many  cases  the  axioms  are  identical  and  the  'proof'  is  trivial. 

We  include  here  the  complete  definitions  of  the  most  abstract  model  of 
SIFT,  the  10  Model,  and  of  the  next  model  of  the  SIFT  hieirachy,  the 
Replication  Model.  Also  included  are  the  set  of  lemmas,  and  the  proofs  of  the 
lemmas,  leading  upto  the  proofs  of  the  two  most  interesting  axioms  of  the  10 
Model.  Thses  two  axioms  are  the  axioms  stating  that  SIFT  tasks  get  the 
correct  results  both  when  they  are  scheduled  to  execute  and  also  when  they  are 
dormant.  The  proofs  are,  in  effect,  the  proofs  of  the  validity  of  majority 
voting  to  ensure  correct  operation  of  SIFT  even  in  the  presence  of  faults. 

It  is  important  to  note  that  this  example  is  a  demonstration  of  the  use  of 
the  system  ON  A  REAL  APPLICATION.  Real  applications  turn  out  to  be  much 
bigger  than  the  examples  on  which  theorem  provers  are  normally  tested.  Not 
only  must  the  system  accomodate  models  containing  hundreds  of  axioms  and 
lemmas  but  also  the  individual  formulas  can  become  very  large.  The  more 
detailed  levels  of  SIFT,  where  the  theorem  prover  has  also  been  successful, 
are  yet  more  complex  than  the  example  we  give  here. 
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The  10  Model 


( 

(IEF  INTEGER. STP)  {These  commands  read  into  the 

(IEF  SEQ.STP)  system  previously  defined  3ets 

(IEF  SETS. AXIOMS)  of  axioms) 

(IEF  PAIROF . STP) 

(DTV  TYPED  (Type  variable  declatations) 

(DTV  TYPE2) 

(DST  REALTIME  INTEGER)  {Subtype  declarations) 

(DST  SUBFRAMETIME  INTEGER) 

(DST  INTERVAL  (PAIR. OF  SUBFRAMETIME  SUBFRAMETIME)) 

(DSV  INTERVAL  INTERVALD  {A  Varaible  declaration) 

(DD  SUBFRAMETIME  BEGIN(INTERVAL1 )  (FIRST  INTERVALD) 

(DD  SUBFRAMETIME  END  (INTERVALD  (SECOND  INTERVALD) 

{Declarations  of  Definitions) 

(DD  TYPE1  VALUE  (PAIRD  (FIRST  PAIRD) 

(DD  TYPE2  SOURCE  (PAIRD  (SECOND  PAIRD) 


(DT  FUNCTION. TYPE) 
(DT  SET. OF  (TYPED) 


{Declaration  of  an 
uninterpreted  type) 


(DST  ITERATION  INTEGER) 

(DSV  ITERATION  I) 

(DD  ITERATION  INCR(I)  (IPLUS  II)) 


(DT  DATAVAL) 

(DST  DATA  (SEQ  DATAVAL)) 
(QUOTE  "WAS  (DT  DATA)") 
(DT  PROC) 

(DT  TASK) 


(DSV  TASK  K) 

(DSV  TASK  L) 

(DS  TASK  GLOBAL. EXEC)  {Declaration  of  a  constant) 

(DS  TASK  CLOCK) 

(DS  DATA  BOTTOM  1  (TASK)) 

(DSV  ITERATION  J) 

(DSV  SUBFRAMETIME  T) 

(DSV  SUBFRAMETIME  TT) 

(DSV  INTERVAL  II) 

(DSV  PROC  P) 

(DSV  PROC  QQ) 

(DSV  DATA  V) 

(DSV  (PAIR. OF  DATA  TASK) 

V.T) 

(DSV  (SET. OF  (PAIR. OF  DATA  TASK)) 

V. INPUTS) 

(DSV  (SET. OF  (PAIR. OF  DATA  PROC)) 

V. BAG) 
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(DS  REALTIME  EPSILON) 

(DS  REALTIME  LAMBDA) 

(DSV  SUBFRAMETIME  T1) 

(DSV  SUBFRAMETIME  T2) 

(DS  INTERVAL  OF  (ITERATION  TASK))  {Declaration  of  Functions) 

(DS  INTERVAL  DW.OF  (ITERATION  TASK)) 

(DS  INTERVAL  DW. FOR. TO. OF  (TASK  ITERATION  TASK)) 

(DS  ITERATION  TO. OF  (TASK  ITERATION  TASK)) 

(DS  TASK  ERROR. REPORTER  (PROC)) 

(DSV  SUBFRAMETIME  T.SUB) 

(DD  SUBFRAMETIME  SUB.INCR  (T.SUB)  (PLUS  T.SUB  1)) 

(DD  SUBFRAMETIME  SUB.DECR  (T.SUB)  (DIFFERENCE  T.SUB  1)) 

(DS  TASK  IC. ERROR. REPORTER  (PROC)) 

(DS  (SET. OF  PROC) 

SAFE 

(SUBFRAMETIME)) 

(DS  (SET. OF  PROC) 

SAFE. FOR 
(INTERVAL)) 

(DS  (SET. OF  PROC) 

CONFIGURATION 
(DATA)) 

(DS  BOOL  TASK. SAFE  (TASK  ITERATION)) 

(DS  (SET. OF  PROC) 

POLL. FOR. OF 
(ITERATION  TASK)) 

(DS  (SET. OF  DATA) 

ON 

(TASK  ITERATION  PROC)) 

(DS  DATA  ON. IN  (TASK  ITERATION  PROC  PROC)) 

(DS  DATA  IN  (TASK  ITERATION  PROC)) 

(DS  (SET. OF  DATA) 

RESULT 

(TASK  ITERATION)) 

(DS  BOOL  IC  (TASK)) 

(DS  BOOL  ON. DURING  (TASK  ITERATION)) 

(DS  BOOL  SSF  (TASK  TASK)) 

(DS  (SET. OF  TASK) 

INPUTS 
(TASK) ) 

(DS  DATA  APPLY  (FUNCTION. TYPE  (SET. OF  (PAIR. OF  DATA  TASK)))) 

(DS  FUNCTION. TYPE  FUNCTION  (TASK)) 

(DS  REALTIME  REAL. TIME  (SUBFRAMETIME)) 

(DS  BOOL  REPORTS  (PROC  PROC  ITERATION  TASK)) 

(DS  DATA  REPORTVAL  (PROC  PROC  ITERATION  TASK)) 

(DS  BOOL  ON. DURING  (TASK  ITERATION)) 

(DS  ITERATION  TO. OF  (TASK  ITERATION  TASK)) 

(DS  BOOL  TASK. SAFE  (TASK  ITERATION)) 

(DS  (SET. OF  DATA) 


■  - . anaaaaaMMBBa 
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RESULT 

(TASK  ITERATION)) 

(DSV  (PAIR. OF  DATA  PROC) 

V.P) 

(DS  BOOL  IC. TASK. SAFE  (TASK  ITERATION)) 
(DS  BOOL  IC. TASK. SAFE  (TASK  ITERATION)) 
(DS  TYPE  1  SELECT  ((SET. OF  TYPED)) 


(DA  IO.A1.1  (LESSP  (SUB.INCR  (BEGIN  (OF  I  K))) 

(END  (OF  I  K)))) 

(DA  I0.A1.2  (LESSEQP  (END  (OF  I  K)) 

(BEGIN  (OF  (INCR  I) 

K)))) 

(DA  IO.A1.3  (IMPLIES  (SSF  L  K) 

(EQUAL  (SUB.INCR  (BEGIN  (OF  IK))) 

(END  (OF  (TO. OF  L  I  K) 

L))))) 

(DA  10. A3  (IMPLIES  (AND  (IC  K) 

(IC. TASK. SAFE  K  I)) 

(EQUAL  (CARD  (RESULT  K  I)) 

1») 

(DA  10. A4  (IMPLIES  (AND  (IC  K) 

(MEMBER  (SOURCE  V.T) 

(INPUTS  K)) 

(SINGLETON  V. INPUTS  V.T)) 

(AND  (EQUAL  (CARD  (INPUTS  K)) 

D 

(IMPLIES  (MEMBER  L  (INPUTS  K)) 

(EQUAL  1 

(CARD  (POLL. FOR. OF  (TO. OF  L  I  K) 

L)))) 

(EQUAL  (VALUE  V.T) 

(APPLY  (FUNCTION  K) 

V. INPUTS))))) 

(DA  10. A5  (IMPLIES  (AND  (MEMBER  L  (INPUTS  K)) 

(ON. DURING  K  I) 

(TASK. SAFE  K  I) 

(NOT  (ON. DURING  L  (TO. OF  L  I  K)))) 

(AND  (SINGLETON  (RESULT  L  (TO. OF  L  I  K)) 

( BOTTOM 1  L)) 

(TASK. SAFE  L  (TO. OF  L  I  K))))) 

(DA  10. A6  (IMPLIES  (AND  (LESSP  T2  TD 

(FORALL  I  (IMPLIES  (LESSEQP 

(END  (OF  I  (CLOCK))) 

TD 


41 


(TASK. SAFE  (CLOCK) 

I)))) 

(AND  (LESSP  (DIFFERENCE  (TIMES  (DIFFERENCE  T1  T2) 

(DIFFERENCE  1  (LAMBDA))) 
(EPSILON)) 

(DIFFERENCE  (REAL. TIME  T1) 

(REAL. TIME  T2))) 

(LESSP  (DIFFERENCE  (REAL. TIME  Tl) 

(REAL. TIME  T2)) 

(PLUS  (TIMES  (DIFFERENCE  Tl  T2) 

(PLUS  1  (LAMBDA))) 
(EPSILON)))))) 

(DS  (SET. OF  (PAIR. OF  DATA  TASK))  V. INPUTS. A2  (ITERATION  TASK)) 

(DA  10. A2A 

(IFF  (AND  (MEMBER  (SOURCE  V.T) 

(INPUTS  K)) 

(MEMBER  (VALUE  V.T) 

(RESULT  (SOURCE  V.T) 

(TO. OF  (SOURCE  V.T) 

I  K)))) 

(MEMBER  V.T  (V. INPUTS. A2  I  K)))) 


(DA  10. A2 

(IMPLIES  (AND  (ON. DURING  K  I) 

(TASK. SAFE  K  I) 

(FORALL  L 

(IMPLIES  (MEMBER  L  (INPUTS  K)) 

(EQUAL  (CARD  (RESULT  L 

(TO. OF  L  I  K) 
)) 

1)))) 

(SINGLETON  (RESULT  K  I) 

(APPLY  (FUNCTION  K)  (V. INPUTS. A2  I  K))))) 

) 
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The  Replication  Model 


( 

(IEF  INTEGER. STP) 

(IEF  S5Q.STP) 

(IEF  SETS. AXIOMS) 

(IEF  PAIROF.STP) 

(DTV  TYPE2) 

(DTV  TYPED 

(DST  REALTIME  INTEGER) 

(DST  SUBFRAMETIME  INTEGER) 

(DST  INTERVAL  (PAIR. OF  SUBFRAMETIME  SUBFRAMETIME)) 
(DSV  INTERVAL  INTERVALD 

(DD  SUBFRAMETIME  BEGIN  (INTERVALD  (FIRST  INTERVALD) 
(DD  SUBFRAMETIME  END(INTERVAL1 )  (SECOND  INTERVALD) 
(QUOTE  (DS  SUBFRAMETIME  BEGIN(INTERVAL) )  ) 

(QUOTE  (DS  SUBFRAMETIME  END( INTERVAL) )  ) 

(DD  TYPE1  VALUE  (PAIRD  (FIRST  PAIRD) 

(DD  TYPE2  SOURCE  (PAIRD  (SECOND  PAIRD) 

(IEF  MAJORITY. STP) 

(DT  FUNCTION. TYPE) 

(DST  ITERATION  INTEGER) 

(DT  DATAVAL) 

(DS  DATAVAL  BOTTOM D) 

(DSV  DATAVAL  DD 
(DA  BOTTOM. EQUALITY 

(EQUAL  (BOTTOM  DD  ( BOTTOM D) ) ) 

(DT  TASK) 

(DSV  TASK  K) 

(DSV  TASK  L) 

(DS  NAT  RESULT. SIZE(TASK)) 


(DST  DATA  (SEQ  DATAVAL)) 

(DSV  DATA  V) 

(DSV  DATA  VI) 

(DS  DATA  BOTTOM  1  (TASK)) 

(DA  DATA. BOTTOM 
(IMPLIES 
(AND 

(LESSEQP  1  Y) 

(LESSEQP  Y  (RESULT. SIZE  K))) 

(EQUAL  (SEQ.ELEM  ( BOTTOM  1  K)  Y)  (BOTTOMD) ) ) ) 
(DA  DATA. EQUALITY 
(IFF 

(EQUAL  V  VD 
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(FORALL  Y 

(IMPLIES 

(AND 

(EQUAL  (SEQ. LENGTH  V)  (SEQ. LENGTH  VI)) 
(LESSEQP  1  Y) 

(LESSEQP  Y  (SEQ. LENGTH  V))) 

(EQUAL  (SEQ.ELEM  V  Y)  (SEQ.ELEM  VI  Y)))))) 

(DT  PROC) 

(DS  TASK  GLOBAL. EXEC) 

(DS  TASK  CLOCK) 

(DSV  ITERATION  I) 

(DSV  ITERATION  J) 

(DSV  ITERATION  J1) 

(DSV  SUBFRAMETIME  T) 

(DSV  SUBFRAMETIME  TT) 

(DSV  INTERVAL  II) 

(DSV  PROC  P) 

(DSV  PROC  QQ) 

(DSV  PROC  R) 

(DSV  (PAIR. OF  DATA  TASK) 

V.T) 

(DSV  (SET. OF  (PAIR. OF  BATA  TASK)) 

V. INPUTS) 

(DSV  (SET. OF  (PAIR. OF  DATA  PROC)) 

V.BAG) 

(DS  REALTIME  EPSILON) 

(DS  REAL'T'TME  LAMBDA) 

(DSV  SL  iiAMETIME  T1) 

(DSV  SUBFRAMETIME  T2) 

(DS  INTERVAL  OF  (ITERATION  TASK)) 

(DS  INTERVAL  DW.OF  (ITERATION  TASK)) 

(DS  INTERVAL  DW. FOR. TO, OF  (TASK  ITERATION  TASK)) 

(DS  ITERATION  TO. OF  (TASK  ITERATION  TASK)) 

(DS  TASK  ERROR. REPORTER  (PROC)) 

(DSV  SUBFRAMETIME  T.SUB) 

(DD  SUBFRAMETIME  SUB.INCR  (T.SUB)  (PLUS  T.SUB  1)) 

(DB  :'JC-.*aAMETT;<.  JB.DECR  (T.SUB)  (DIFFERENCE  T.SUB  1)) 

(DS  TASK  IC. ERROR. REPORTER  (PROC)) 

(DS  (SET. OF  PROC)  SAFE  (SUBFRAMETIME)) 

(DS  (SET, OF  PROC) 

SAFE. FOR 
(INTERVAL)) 

(DS  (SET. OF  PROu, 

CONFIGURATION 

(DATA)) 

(DS  BOOL  TASK. SAFE  (TASK  ITERATION)) 

(DS  (SET. OF  PROC) 

POLL. FOR. OF 
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(ITERATION  TASK)) 

(DS  (SET. OF  DATA) 

ON 

(TASK  ITERATION  PROC)) 

(DS  DATA  ON. IN  (TASK  ITERATION  PROC  PROC)) 

(DS  DATA  IN  .TASK  ITERATION  PROC)) 

(DS  (SET. OF  DATA) 

RESULT 

(TASK  ITERATION)) 

(DS  (SET. OF  (PAIR. OF  DATA  TASK))  V. INPUTS. A2  (ITERATION  TASK)) 
(DS  DATA  APPLY  (FUNCTION. TYPE  (SET. OF  (PAIR. OF  DATA  TASK)))) 

(DS  FUNCTION. TYPE  FUNCTION  (TASK)) 

(DA  DATA. SIZE. IS. SEQ. LENGTH 
(AND 

(EQUAL  (SEQ. LENGTH  (IN  K  I  QQ))  (RESULT. SIZE  K)) 

(EQUAL  (SEQ. LENGTH  (APPLY  (FUNCTION  K)  (V. INPUTS. A2  I  K))) 
(RESULT. SIZE  K)) 

(EQUAL  (SEQ. LENGTH  ( BOTTOM 1  K))  (RESULT. SIZE  K)) 

(EQUAL  (SEQ. LENGTH  (ON. IN  KIP  QQ))  (RESULT. SIZE  K)))) 

(DA  RESULT. SIZE. GREATER. THAN. 1 

(GREATEREQP  (RESULT. SIZE  K)  D) 

(DS  BOOL  IC  (TASK)) 

(DS  BOOL  ON. DURING  (TASK  ITERATION)) 

(DS  BOOL  SSF  (TASK  TASK)) 

(DS  (SET. OF  TASK) 

INPUTS 

(TASK)) 

(DS  REALTIME  REAL. TIME  (SUBFRAMETIME)) 

(DS  BOOL  REPORTS  (PROC  PROC  ITERATION  TASK)) 

(DS  DATA  REPORTVAL  (PROC  PROC  ITERATION  TASK)) 

(DS  BOOL  ON. DURING  (TASK  ITERATION)) 

(DS  ITERATION  TO. OF  (TASK  ITERATION  TASK)) 

(DS  BOOL  TASK. SAFE  (TASK  ITERATION)) 

(DS  (SET. OF  DATA) 

RESULT 

(TASK  ITERATION)) 

(DSV  DATA  V.CARD) 

(DSV  DATA  V.CARD1 ) 

(DSV  (SET. OF  TYPED 
SD 

(DSV  (SET. OF  TYPED 
S2) 

(DSV  DATA  V2) 

(DSV  DATA  V3) 

(DSV  DATA  V4) 

(DSV  (PAIR. OF  DATA  PROC) 

V.P) 
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(DS  (SET. OF  (PAIR. OF  DATAVAL  PROC))  D.BAG.L10  (TASK  ITERATION  PROC  NAT)) 

(DS  BOOL  IC. TASK. SAFE  (TASK  ITERATION)) 

(DS  BOOL  IC. TASK. SAFE  (TASK  ITERATION)) 

(DD  ITERATION  DECR(I) 

(DIFFERENCE  II)) 

(DD  ITERATION  INCR  (I) 

(IPLUS  1  I)) 


(DA  RP.A1.1  (LESSP  (SUB. INCR  (BEGIN  (OF  IK))) 

(END  (OF  I  K)))) 

(DA  RP.A1.2  (LESSEQP  (END  (OF  I  K)) 

(BEGIN  (OF  (INCR  I) 

K)))) 

(DA  RP.A2  (IMPLIES  (AND  (MEMBER  P  (SAFE. FOR  (OF  IK))) 

(MEMBER  QQ  (SAFE. FOR  (OF  I  K)))) 

(SINGLETON  (ON  KIP) 

(ON. IN  KIP  QQ)))) 

(DA  RP.A7  (AND  (EQUAL  (CARD  (INPUTS  (ERROR. REPORTER  P))) 

0) 

(SINGLETON  (INPUTS  (IC. ERROR. REPORTER  P)) 

(ERROR. REPORTER  P)) 

(IC  (IC. ERROR. REPORTER  P,, 

(SINGLETON  (POLL. FOR. OF  I  (ERROR. REPORTER  P)) 

P) 

(EQUAL  I  (TO. OF  (IC. ERROR. REPORTER  P) 

I 

(ERROR. REPORTER  P))))) 

(DA  RP.A8  (AND  (MEMBER  (IC. ERROR. REPORTER  P) 

(INPUTS  (GLOBAL. EXEC))) 

(LESSP  (BEGIN  (OF  I  (GLOBAL. EXEC) ) ) 

(BEGIN  (OF  I  (IC. ERROR. REPORTER  QQ)))) 

(LESSP  (BEGIN  (OF  I  (IC. ERROR. REPORTER  QQ))) 

(BEGIN  (OF  (INCR  I) 

(GLOBAL. EXEC) ) ) ) ) ) 

(DA  RP.A9  (AND  (SUBSET  (CONFIGURATION  (SELECT  (RESULT  (GLOBAL. EXEC) 

X))) 

(CONFIGURATION  (SELECT  (RESULT  (GLOBAL. EXEC) 

(DECR  I))))) 

(IMPLIES  (LESSP  (END  (OF  I  (GLOBAL. EXEC) ) ) 

(BEGIN  (OF  J  K))) 

(SUBSET  (POLL. FOR. OF  J  K) 

(CONFIGURATION  (SELECT  (RESULT  (GLOBAL. EXEC) 

I))))))) 

(DA  RP.D2.1  (EQUAL  (BEGIN  (DW.FOR.TO.OF  L  I  K)) 

(IF  (MEMBER  L  (INPUTS  K)) 

(BEGIN  (OF  (TO. OF  L  I  K) 

L)) 
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(BEGIN  (OF  I  K))))) 

(DA  RP.D2.2  (EQUAL  (END  (DW. FOR. TO. OF  L  I  K)) 

(END  (OF  I  K))>) 

(DA  RP.D3.1  (NOT  (LESSP  (BEGIN  (DW. FOR. TO. OF  L  IK)) 

(BEGIN  (DW.OF  I  K))))) 

(DA  RP.D3.3  (EQUAL  (END  (DW.OF  I  K)) 

(END  (OF  I  K)))) 

(DA  RP.D7  (IFF  (ON. DURING  K  I) 

(GREA1ERP  (CARD  (POLL. FOR. OF  I  JO) 
0))) 


(DSV  (PAIR. OF  DATAVAL  PROC)  D.P) 

(DSV  (SET. OF  (PAIR. OF  DATAVAL  PROC))  D.BAG) 

(DS  (SET. OF  (PAIR. OF  DATAVAL  PROC))  D.BAG. D4  (TASK  ITERATION  PROC  NAT)) 
(DA  RP.D4A 

(IFF  (MEMBER  D.P  (D.BAG.D4  K  I  QQ  Y)) 

(EXISTS  P  (AND  (EQUAL  (SEQ.ELEM  (ON. IN  K  I  P  QQ)  Y) 

(VALUE  D.P)) 

(EQUAL  P  (SOURCE  D.P)) 

(MEMBER  P  (POLL. FOR. OF  I  K)))))) 


(DA  RP.D4  (IMPLIES 
(AND 

(MEMBER  QQ  (SAFE. FOR  (OF  IK))) 

(LESSEQP  1  Y) 

(LESSEQP  Y  (RESULT. SIZE  K))  ) 

(EQUAL  (SEQ.ELEM  (IN  K  I  QQ)  Y) 

(MAJORITY  (D.BAG. D4  K  I  QQ  Y))))) 

(DS  (SET. OF  (PAIR. OF  DATA  TASK))  V. INPUTS. A3  (TASK  ITERATION  PROC)) 
(DA  RP.A3A 

(IFF  (MEMBER  V.T  (V. INPUTS. A3  K  I  P)) 

(AND  (MEMBER  (SOURCE  V.T) 

(INPUTS  K)) 

(EQUAL  (VALUE  V.T) 

(IN  (SOURCE  V.T) 

(TO. OF  (SOURCE  V.T) 

I  K) 

P))))) 


(DA  RP.A3  (IMPLIES 

(MEMBER  P  (INTERSECTION  (POLL. FOR. OF  I  K) 

(SAFE. FOR  (DW.OF  I  K)))) 

(SINGLETON  (ON  KIP) 

(APPLY  (FUNCTION  K)  (V. INPUTS. A3  K  I  P))))) 


(DA  RP.D1 

(AND  (IMPLIES  (AND  (MEMBER  L  (INPUTS  K)) 
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(MOT  (SSF  LK))) 

(AND  (NOT  (LESSP  (BEGIN  (OF  I  K)) 

(END  (OF  (TO. OF  LIE) 
L)))) 

(LESSP  (BEGIN  (OF  I  K) ) 

(END  (OF  (INCR  (TO. OF  LIE)) 
L)>))) 

(IMPLIES  (AND  (MEMBER  L  (INPUTS  E)) 

(SSF  L  X)) 

(EQUAL  (END  (OF  (TO. OF  LIE) 

L)> 

(SUB. INCR  (BLJIN  (OF  I  X))))))) 

(DA  10. D1 

(AND  (IMPLIES  (AND  (MEMBER  L  (INPUTS  X)) 

(NOT  (SSF  LE))) 

(AND  (NOT  (LESSP  (BEGIN  (OF  I  E)) 

(END  (OF  (TO. OF  LIE) 
L)))) 

(LESSP  (BEGIN  (OF  I  E)) 

(END  (OF  (INCR  (TO. OF  L  I  E)) 

D)))) 

(IMPLIES  (AND  (MEMBER  L  (INPUTS  E)) 

(SSF  L  E)) 

(EQUAL  (END  (OF  (TO. OF  LIE) 

L)) 

(SUB. INCR  (BEGIN  (OF  I  E))))))) 


(DA  RP.D11 

(IFF  (MEMBER  D.P  (D.BAG.L10  X  I  QQ  Y)) 

(EXISTS  P 

(AND 

(MEMBER  P  (INTERSECTION  (POLL. FOR. OF  I  E) 

(SAFE. FOR  (DW.OF  I  K)))) 
(EQUAL  (SEQ.ELEM  (ON. IN  E  I  P  QQ)  Y) 

(VALUE  D.P)) 

(EQUAL  P  (SOURCE  D.P)))))) 


(DA  RP.D9A  (IFF  (TASE. SAFE  K  I) 

(OR  (NOT  (ON. DURING  ED) 

(LESSP  (CARD  (POLL. FOR. OF  I  E)) 

(TIMES  2 

(CARD  (INTERSECTION  (POLL. FOR. OF  I  K) 

(SAFE. FOR 

(DW.OF  I  E))))))))) 

(DA  RP.A4  (IMPLIES  (AND  (IC  K) 

(IC. TASE. SAFE  E  I)) 

(EQUAL  (CARD  (RESULT  E  I)) 

1))) 


(DA  RP.D9B 
(IFF 

(IC. TASE. SAFE  E  I) 
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(OR  (NOT  (ON. DURING  KI)) 

(AND  (IC  K) 

(IMPLIES  (MEMBER  L  (INPUTS  K)) 

(LESSP  (TIMES  2 

(CARD  (UNION  (POLL. FOR. OF  (TO, OF  LIE) 

L) 

(POLL. FOR. OF  I  K)))) 

(TIMES  3 

(CARD  (INTERSECTION 

(SAFE. FOR  (DW.OF  I  K)) 

(UNION  (POLL. FOR. OF  (TO. OF  LIE) 

L) 

(POLL. FOR. OF  I  K))>))))))) 


(DA  RP.A5  (IMPLIES  (AND  (IC  K) 

(MEMBER  (SOURCE  V.T) 

(INPUTS  K)> 

(SINGLETON  V. INPUTS  V.T)) 

(AND  (EQUAL  (CARD  (INPUTS  K)) 

1) 

(IMPLIES  (MEMBER  L  (INPUTS  K)) 

(EQUAL  1 

(CARD  (POLL. FOR. OF  (TO. OF  LIE) 

L)))) 

(EQUAL  (VALUE  V.T) 

(APPLY  (FUNCTION  E) 

V . INPUTS)) ) ) ) 

(DA  RP.AIO  (IMPLIES  (MEMBER  P  (SAFE. FOR  (DW.OF  J  E))) 

(IFF  (AND  (NOT  (IC  L)) 

(MEMBER  L  (INPUTS  E)) 

(MEMBER  QQ  (POLL. FOR. OF  (TO. OF  L  J  E) 

D) 

(NOT  (EQUAL  (ON. IN  L  (TO. OF  L  J  E) 

QQ  P) 

(IN  L  (TO. OF  L  J  K) 

P)))> 

(REPORTS  P  QQ  (TO. OF  L  J  E) 

L)))) 

(DF  RP.A11  (IMPLIES  (GREATERP  T1  T2) 

(SUBSET  (SAFE  T1) 

(SAFE  T2)))) 


(DA  RP.A6  (IMPLIES  (AND  (LESSP  T2  Tl) 

(FORALL  I  (IMPLIES  (LESSEQP 

(END  (OF  I  (CLOCE))) 
Tl) 

(TASE.SAFE  (CLOCK) 
I)))) 

(AND  (LESSP  (DIFFERENCE  (TIMES  (DIFFERENCE  Tl  T2) 
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(DIFFERENCE  1  (LAMBDA))) 
(EPSILON)) 

(DIFFERENCE  (REAL. TIME  T1) 

(REAL. TIME  T2))) 

(LESSP  (DIFFERENCE  (REAL. TIME  T1) 

(REAL. TIME  T2)) 

(PLUS  (TIMES  (DIFFERENCE  T1  T2) 

(PLUS  1  (LAMBDA))) 
(EPSILON)))))) 

(DA  RP.D3.2  (EXISTS  L  (EQUAL  (BEGIN  (DW. FOR. TO. OF  L  I  K)) 

(BEGIN  (DU. OF  I  K))))) 

(DA  RP.D8  (IFF  (REPORTS  P  QQ  I  K) 

(EXISTS  J 

(AND  (LESSEQP  (BEGIN  (OF  I  K)) 

(BEGIN  (OF  J  (ERROR. REPORTER  P)))) 
(LESSP  (BEGIN  (OF  (DECR  J) 

(ERROR. REPORTER  P))) 

(END  (OF  (TO. OF  L  I  K) 

L))) 

(MEMBER  (REPORTVAL  P  QQ  I  K) 

(RESULT  (ERROR. REPORTER  P) 

J)))))) 

(DA  RP.D10  (IFF  (FORALL  T  (IMPLIES  (AND  (LESSEQP  (BEGIN  II) 

T) 

(LESSP  T  (END  II))) 

(MEMBER  P  (SAFE  T)))) 

(MEMBER  P  (SAFE. FOR  II)))) 


(DA  RP.D6 
(IFF 

(MEMBER  V  (RESULT  K  I)) 

(EXISTS  P  (AND 

(MEMBER  P  (SAFE. FOR  (OF  IK))) 
(EQUAL  V  (IN  K  I  P)))))) 


) 


The  Lemmas 


( 

(QUOTE  "The  begining  of  a  Data  Window  is  earlier  or  at  least  equal  to  ne 
begining  of  the  Execution  Window"  ) 

(DF  RP.Ll  (GREATEREQP  (BEGIN  (OF  I  K)) 

(BEGIN  (DW. FOR. TO. OF  L  I  K)))) 

(QUOTE  "If  a  time  is  within  the  Execution  Window,  then  it  must  be  within 
the  Data  Window") 

(DF  RP.L2  (IMPLIES  (AND  (LESSEQP  (BEGIN  (OF  I  K)) 

T) 

(LESSP  T  (END  (OF  IK)))) 

(AND  (LESSEQP  (BEGIN  (DW.OF  I  K)) 

T) 

(LESSP  T  (END  (DW.OF  I  K)))))) 

(QUOTE  "If  a  processor  is  Safe  for  the  Data  Window,  it  is  Safe  for  the 
Execution  Window") 

(DF  RP.L3  (IMPLIES  (MEMBER  P  (SAFE. FOR  (DW.OF  IK))) 

(MEMBER  P  (SAFE. FOR  (OF  I  K))))) 

(QUOTE  "If  a  task. generates  a  singleton  result  value,  then  safe  processors 
will  have  that  value  in  their  In  buffer") 

(DF  RP.L4  (IMPLIES  (AND  (MEMBER  L  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  L  (TO. OF  LI  K)))) 

(MEMBER  P  (SAFE. FOR  (DW.OF  I  K)))) 

(IFF  (MEMBER  V  (RESULT  L  (TO. OF  L  I  K))) 

(EQUAL  V  (IN  L  (TO. OF  L  I  K) 

P))))) 

(QUOTE  "If  a  task  is  on  a  processor  that  is  Safe  for  its  data  window, 
and  if  all  its  input  tasks  are  well  behaved,  the  inputs  to  the 
task  will  be  same  as  in  the  10  Model") 

(DF  RP.L5  (IMPLIES  (AND 

(FOR ALL  L 

(IMPLIES 

(MEMBER  L  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  L  (TO. OF  L  I  K)))))) 
(MEMBER  P  (SAFE. FOR  (DW.OF  I  K)))) 

(IFF  (MEMBER  V,T  (V. INPUTS. A3  K  I  P)) 

(MEMBER  V.T  (V. INPUTS. A2  I  K))))) 

(QUOTE  "As  RP.L5") 

(DF  RP.L6  (IMPLIES 
(AND 

(FORALL  L 

(IMPLIES 

(MEMBER  L  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  L  (TO. OF  L  I  K)))))) 
(MEMBER  P  (SAFE. FOR  (DW.OF  I  K)))) 

(EQUAL  (V. INPUTS. A2  I  K)  (V. INPUTS. A3  K  I  P)))) 


(QUOTE  "If  a  processor  is  Safe  for  the  Data  Window  of  a  task,  it  is  Safe  for 
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the  Execution  Windows  of  each  of  that  task's  input  tasks.  Needed  to 
prove  RP.L4") 

(DF  RP.L7  (IMPLIES  (AND  (MEMBER  P  (SAFE. FOR  (DW.OF  I  K))) 

(MEMBER  L  (INPUTS  K))) 

(MEMBER  P  (SAFE. FOR  (OF  (TO. OF  L  I  K) 

L))))) 

(QUOTE  "If  a  processor  executes  a  task,  and  Is  Safe  for  the  data  wwlndow  of 
that  task,  and  If  all  the  Inputs  to  the  task  are  well  behaved,  then 
the  the  task  output  computed  by  that  processor  will  be  the  result  of 
applying  the  task  function  to  the  correct  task  inputs") 

(DF  RP.L8  (IMPLIES 
(AND 

(MEMBER  P  (INTERSECTION  (POLL. FOR. OF  I  K) 

(SAFE. FOR  (DW.OF  I  K)))) 

(FORALL  L 

(IMPLIES 

(MEMBER  L  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  L  (TO. OF  L  I  K))))))) 

(SINGLETON  (ON  K  I  P) 

(APPLY  (FUNCTION  K) 

(V. INPUTS. A2  I  K))))) 

(QUOTE  "...  and  that  output  value  will  be  the  broadcast  value  received  by 
all  processors  that  are  Safe  for  the  execution  window  of  the  task") 
(DF  RP.L9  (IMPLIES  (AND  (MEMBER  P  (INTERSECTION  (POLL. FOR. OF  I  K) 

(SAFE. FOR  (DW.OF  I  K)))) 

(FORALL  L 

(IMPLIES 

(MEMBER  L  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  L  (TO. OF  L  I  K)))))) 
(MEMBER  QQ  (SAFE. FOR  (OF  I  K)))) 

(EQUAL  (ON. IN  KIP  QQ) 

(APPLY  (FUNCTION  K) 

(V. INPUTS. A2  I  K))))) 

I 

(QUOTE  "A  result  value  received  from  a  Safe  processor  is  a  member  of  the  set 
of  all  computer  result  values") 

(DF  RP.L11  (IMPLIES  (AND  (MEMBER  QQ  (SAFE. FOR  (OF  I  K))) 

(MEMBER  D.P  (D.BAG.L10  K  I  QQ  Y))) 

(MEMBER  D.P  (D.BAG.D4  K  I  QQ  Y)))) 

(DSV  (PAIR. OF  DAT AVAL  PROC)  D.P.1) 

(DS  (SET. OF  (PAIR. OF  DATAVAL  PROC))  D.BAG.L12 
(TASK  ITERATION  PROC  NAT)) 


(QUOTE  "Definition  of  D.BAG.L12  to  be  the  set  of  correct  values  in  the  set  of 
result  values  to  be  voted  on") 

(DA  RP.L12A 
(IFF 

(MEMBER  D.P.1  (D.BAG.L12  K  I  QQ  Y)) 

(AND 

(EQUAL 


(SEQ.ELEM  (APPLY  (FUNCTION  K)  (V. INPUTS. A2  I  K)) 

Y) 

(VALUE  D.P.1)) 

(MEMBER  D.P.1  (D.BAG.D4  K  I  QQ  Y))))) 

(QUOTE  "If  a  processor  is  Safe  for  the  execution  window  of  a  task,  and  that 
generates  a  singleton  result  value,  then  the  result  values  received 
from  Safe  processors  by  that  processor  will  be  correct  values") 

(DF  RP.L12R  (IMPLIES  (AND  (MEMBER  QQ  (SAFE. FOR  (OF  IK))) 

(MEMBER  D.P  (D.BAG.L10  K  I  QQ  Y)) 

(FORALL  L 

(IMPLIES 

(MEMBER  L  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  L  (TO. OF  L  I  K))))) 
(MEMBER  D.P  (D.BAG.L12  K  I  QQ  Y)))) 

(QUOTE  "as  RP.L12R  but  as  subset") 

(DF  RP.L13  (IMPLIES 
(AND 

(MEMBER  QQ  (SAFE. FOR  (OF  IK))) 

(FORALL  L 

(IMPLIES 

(MEMBER  L  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  L  (TO. OF  L  I  K) ) ) ) ) ) ) 

(SUBSET  (D.BAG.L10  K  I  QQ  Y)  (D.BAG.L12  K  I  QQ  Y)))) 

(QUOTE  "A  time  within  the  execution  window  of  an  input  task  to  a  task  K 
lies  within  the  data  window  of  task  K.  Used  to  prove  RP.L7") 

(DF  RP.L2A  (IMPLIES  (AND  (LESSEOP  (BEGIN  (OF  (TO. OF  L  I  K) 

L)) 

T) 

(LESSP  T  (END  (OF  (TO. OF  L  I  K) 

L))) 

(MEMBER  L  (INPUTS  K))) 

(AND  (LESSEQP  (BEGIN  (DW.OF  I  K)) 

T) 

(LESSP  T  (END  (DW.OF  I  K)))))) 

(QUOTE  "If  a  task  executes  and  is  Safe,  at  least  one  processor  must  have  been 
Safe  for  its  execution  window") 

(DF  RP.L16  (IMPLIES  (AND  (ON. DURING  K  I) 

(TASK. SAFE  K  I)) 

(GREATERP  (CARD  (SAFE. FOR  (OF  IK))) 

0))) 

(QUOTE  "A  Primary  Lemma.  If  a  task  executes  and  is  Safe,  and  if  all  its 
inputs  are  well  behaved,  a  Safe  processor  voting  on  the  broadcast 
results  will  obtain  the  correct  result  value  for  that  task") 

(DF  RP.L14  (IMPLIES  (AND  (TASK. SAFE  K  I) 

(ON. DURING  K  I) 

(MEMBER  QQ  (SAFE. FOR  (OF  IK))) 

(FORALL  L 
(IMPLIES 

(MEMBER  L  (INPUTS  K)) 
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(EQUAL  1  (CARD  (RESULT  L  (TO. OF  L  I  K)))))) 
(LESSEQP  1  Y) 

(LESSEQP  Y  (RESULT. SIZE  K)>) 

(EQUAL  (SEQ.ELEM  (APPLY  (FUNCTION  K) 

(V. INPUTS. A2  I  K))  Y) 

(MAJORITY  (D.BAG.D4  K  I  QQ  Y))))) 

(QUOTE  "...  and  will  place  that  result  value  in  its  IN  buffer") 

(DF  RP.L15  (IMPLIES  (AND  (TASK. SAFE  K  I) 

(ON. DURING  K  I) 

(MEMBER  QQ  (SAFE. FOR  (OF  IK))) 

(FORALL  L 
(IMPLIES 

(MEMBER  L  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  L  (TO. OF  L  I  K))))))) 
(EQUAL  (APPLY  (FUNCTION  K) 

(V. INPUTS. A2  I  K)) 

(IN  K  I  QQ)))) 

(QUOTE  "Almost  there:  If  a  task  executes  and  is  Safe,  and  all  its  inputs 
are  well  behaved,  its  result  will  be  the  result  of  applying  its 
function  to  the  correct  inputs") 

(DSV  TASK  LI) 

(DF  RP.L17 

(IMPLIES  (AND  (TASK. SAFE  K  I) 

(ON. DURING  K  I) 

(FORALL  L 

(IMPLIES 

(MEMBER  L  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  L  (TO. OF  L  I  K)))))) 
(FORALL  LI 

(IMPLIES 

(MEMBER  LI  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  LI  (TO. OF  LI  I  K))))))) 
(SINGLETON  (RESULT  K  I) 

(APPLY  (FUNCTION  K) 

(V. INPUTS. A2  I  K))))) 


(QUOTE  "The  number  of  versions  of  a  task's  result  available  for  voting  on  is 
the  number  of  processors  executing  that  task") 

(DF  CARD. D. BAG. D4 

(EQUAL  (CARD  (D.BAG.D4  K  I  QQ  Y)) 

(CARD  (POLL. FOR. OF  I  K)))) 

(QUOTE  "The  number  of  correct  versions  of  a  task's  result  is  the  number  of 
Safe  processors  executing  that  task") 

(DF  CARD. D. BAG. L10  (EQUAL  (CARD  (D.BAG.L10  K  I  QQ  Y)) 

(CARD  (INTERSECTION  (POLL. FOR. OF  I  K) 

(SAFE. FOR  (DW.OF  I  K)))))) 


(DSV  TASK  L2) 

(DF  NECESSARY. EVIL 
(IMPLIES 
(FORALL  L 


k 
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(IMPLIES 

(MEMBER  L  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  L  (TO. OF  L  I  K)))))) 

(AND 

(FOR ALL  LI 

(IMPLIES 

(MEMBER  LI  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  LI  (TO. OF  LI  I  K)))))) 

(FOR ALL  L2 

(IMPLIES 

(MEMBER  L2  (INPUTS  K)) 

(EQUAL  1  (CARD  (RESULT  L2  (TO. OF  L2  I  K) )))))))) 

(QUOTE  "We  now  consider  tasks  that  are  not  currently  being  executed") 

(QUOTE  "If  a  task  is  executed  and  safe,  and  has  an  input  task  that  is  not 

being  executed,  a  majority  of  the  result  values  for  that  not. on  task 
will  be  nulls") 

(DF  RP.L19  (IMPLIES  (AND  (MEMBER  L  (INPUTS  K)) 

(ON. DURING  K  I) 

(TASK. SAFE  K  I) 

(NOT  (ON. DURING  L  (TO. OF  L  I  K))) 

(LESSEQP  1  Y) 

(LESSEQP  Y  (RESULT. SIZE  L))) 

(EQUAL  (BOTTOMD) 

(MAJORITY  (D.BAG.D4  L  (TO. OF  L  I  K) 

QQ  Y))))) 

(QUOTE  "...  and  on  a  safe  processor  that  null  value  will  be  placed  in  the 
IN  buffer") 

(DF  RP.L20  (IMPLIES  (AND  (MEMBER  L  (INPUTS  K)) 

(ON. DURING  K  I) 

(TASK. SAFE  K  I) 

(NOT  (ON. DURING  L  (TO. OF  L  I  K))) 

(MEMBER  QQ  (SAFE. FOR  (OF  (TO. OF  L  I  K)  L))) 
(LESSEQP  1  Y) 

(LESSEQP  Y  (RESULT. SIZE  L))) 

(EQUAL  (SEQ.ELEM  ( BOTTOM 1  L)  Y) 

(SEQ.ELEM  (IN  L  (TO. OF  L  I  K)  QQ)  Y)))) 

(QUOTE  "as  RP.L20") 

(DF  RP.L21  (IMPLIES  (AND  (MEMBER  L  (INPUTS  K)) 

(ON. DURING  K  I) 

(TASK. SAFE  K  I) 

(NOT  (ON. DURING  L  (TO. OF  L  I  K))) 

(MEMBER  QQ  (SAFE. FOR  (OF  (TO. OF  L  I  K)  L)))) 
(EQUAL  ( BOTTOM 1  L) 

(IN  L  (TO. OF  L  I  K)  QQ)))) 


) 


The  Proof  Commands  with  the  required  Instantiations 


( 

(PR  (RP.L1) 

(RP.A1.1 

((K  L) 

(I  (TO. OF  L  I  K))> ) 

(RP.D1) 

(RP.D2.1)) 

(PR  (RP.L2) 

(RP.A1.1) 

(RP.D3.3) 

(RP.D3.1) 

(RP.L1)) 

(PR  (RP.L2A) 

(RP.A1.1) 

(RP.D3.3) 

(RP.D3.1) 

(RP.D2.1) 

(RP.D1)) 

(PR  (RP.L3) 

(RP.L2 
((T  *T:3))) 

(RP.D10 
((T  »T;3) 

(II  (DW.OF  I  K)))) 

(RP.D10 
((II  (OF  I  K)) 

(T  D)))) 

(PR  (RP.L7) 

(RP.D10 
((T  *T: 1 ) 

(II  (OF  (TO. OF  LI  K)  L>))) 
(RP.D10 
((T  »T:1) 

(II  (DW.OF  I  K)))) 

(RP.L2A 
((T  *T : 1 ) ) ) > 

(PR  (RP.L16) 

(CARD. INTERSECTION 
((SI  (SAFE. FOR  (DW.OF  I  K))) 

(S  (POLL. FOR. OF  I  K)))) 

(CARD. SUBSET 

( (S2  (SAFE. FOR  (OF  IK))) 

(SI  (SAFE. FOR  (DW.OF  I  K)))>) 
(SUBSET 

( (S2  (SAFE. FOR  (OF  IK))) 

(X  *X:3) 

(SI  (SAFE. FOR  (DW.OF  I  K))))) 
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(RP.L3 
((P  *X: 3) ) ) 

(RP.D9A) 

(RP.D7)) 

(PR  (RP.L4) 

(RP.L7) 

(CARD. 2 

((X  (IN  L  (TO. OF  L  I  K)  P)) 

(XI  V) 

(S  (RESULT  L  (TO. OF  L  I  K))))) 

(RP.D6 

((I  (TO. OF  L  I  K)) 

(K  L) 

(V  (IN  L  (TO. OF  L  I  K)  P)))) 

(RP.D6 

((I  (TO. OF  L  I  K)) 

(K  L)))) 

(PR  (RP.L5 

((L  (SOURCE  V.T) ) ) ) 

(RP.A3A) 

(10. A2A) 

(RP.L4 

((V  (VALUE  V.T)) 

(L  (SOURCE  V.T))))) 

(PR  (RP.L6 

((L  *L:2))) 

(SETE QUALITY 

((S2  (V. INPUTS. A3  K  I  P)) 

(SI  (V. INPUTS. A2  I  K)) 

(X  *X: 1))) 

(RP.L5 

((V.T  *X : 1 ) ) ) ) 

(PR  (RP.L8 

((L  »L52))) 

(INTERSECT 

((SI  (SAFE. FOR  (DW.OF  IK))) 

(S  (POLL. FOR. OF  I  K)) 

(X  P))) 

(RP.L6) 

(RP.A3) ) 

(PR  (RP.L9 

((L  »L : 5 ) ) ) 

(INTERSECT 

((SI  (SAFE. FOR  (DW.OF  IK))) 

(S  (POLL. FOR. OF  I  K)) 

(X  P))) 

(CARD. 2 

((XI  (ON. IN  KIP  QQ)) 

(X  (APPLY  (FUNCTION  K)  (V. INPUTS. A2  I  K))) 


mham* 


mSUk ii 


57 


(S  (ON  K  I  P)))) 

(RP.L3) 

(RP.A2) 

(RP.L8)) 

(PR  (RP.L11) 

(INTERSECT 

((SI  (SAFE. FOR  (DW.OF  I  K))) 

(S  (POLL. FOR. OF  I  K)) 

(X  »P:2))) 

(RP.D11 
((P  D))) 

(RP.D4A 
((P  »P:2)))) 

(PR  (RP.L12R 

((L  «L:3))) 

(RP.L12A 
((D.P.l  D. P) ) ) 

(RP.L11 ) 

(RP.L9 
((P  *P : 4 ) ) ) 

(RP.D11 
((P  D)))) 

(PR  (RP.L13 

((L  *L:2))) 

(SUBSET 

( (S2  (D.BAG.L12  K  I  QQ  Y)> 

(X  *X: 1 ) 

(SI  (D.BAG.LIO  K  I  QQ  Y)))) 

(RP.L12R 
( (D. p  »x:1)))) 

(PR  (RP.L14 

((L  •L: 1 ))) 

(RP.L13) 

(RP.D9A) 

(CARD. D. BAG. D4) 

(CARD. D.BAG.LIO) 

(CARD. SUBSET 

((S2  (D.BAG.L12  K  I  QQ  Y)) 

(SI  (D.BAG.LIO  K  I  QQ  Y)> ) ) 

(MAJ. 1 

((T1.V  (SEQ.ELEM  (APPLY  (FUNCTION  K)  (V. INPUTS. A2  I  K))  Y)) 
(M.BAG.1  (D.BAG.L12  K  I  QQ  Y)) 

(M.BAG  (D.BAG.D4  K  I  QQ  Y))>) 

(RP.L12A 

((D.P.l  »V1.V2:6)))) 

(PR  (RP.L15 

((L  *L: 1))) 

(RP.L14 
((Y  *Y : 3) ) > 
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(RP.D4 

((Y  »Y:3)>> 

(DATA. EQUALITY 
((V  (IN  K  I  QQ>) 

(Y  D) 

(VI  (APPLY  (FUNCTION  K)  (V. INPUTS. A2  I  K)))  )) 
(DATA. SIZE . IS . SEQ. LENGTH) 

( RESULT . SIZ E . GREATER . THAN . 1 ) )  ) 

(PR  (RP.L17 
((L  *L:6) 

C  1  *L :  7 ) ) ) 

(CARD.  3 

((V. CARD. 3  (APPLY  (FUNCTION  K)  (V. INPUTS. A2  I  K))) 
(S  (RESULT  K  I)))) 

(RP.L16) 

(CARD. 4 

((S  (SAFE. FOR  (OF  I  K))))) 

(RP.D6 
((P  »X:3) 

(V  (APPLY  (FUNCTION  K)  (V. INPUTS. A2  I  K))))) 
(RP.D6 
((V  *X: 1 ) 

(P  D))) 

(RP.L15 
((QQ  *X:3))) 

(RP.L15 
((QQ  *P : 5 ) ) ) ) 

(PR  (IO.A2 

((L  *L:2))) 

(RP.L17) 

(NECESSARY. EVIL 
((H  *L:  1) 

(L2  *L 1:1)))) 


(PR  (RP.L18) 

(CARD. 4 

((S  (SAFE. FOR  (DW.OF  I  K)) ) ) ) 

( R  P  •  L7 

((P  (*X.CARD. 4  (SAFE. FOR  (DW.OF  I  K)))))) 
(CARD. INTERSECTION 

((S  (POLL. FOR. OF  I  K)) 

(SI  (SAFE. FOR  (DW.OF  I  K))))) 

(RP.D9A) 

(RP.D7)) 

(PR  (RP.L19) 

(MAJ.2 

((M.BAG  (D.BAG.D4  L  (TO. OF  L  I  K)  QQ  Y)) 
(T2.V  D1 : 2) ) ) 

(BOTTOM. EQUALITY) 

( CARD. D. BAG. D4 


j*  J'a  „.w  ..I .  Laaii-iL'y.v 


Tsirm 
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<(K  L) 

(I  (TO. OF  L  I  K)))) 

(CARD. 6 

((S  (POLL. FOR. OF  (TO. OF  UK)  L)))) 
(RP.D7 

<(K  L) 

(I  (TO. OF  L  I  K))))) 

(PR  (RP.L20) 

(RP.L19) 

(DATA. BOTTOM 
(<K  L))) 

(DATA. EQUALITY 

((V  (IN  L  (TO. OF  LIK)  QQ)) 

(VI  ( BOTTOM  1  L)))) 

(RP.D4 
((K  L) 

(I  (TO. OF  L  I  K))))) 

(PR  (RP.L21) 

(RP.L20 
((Y  *Y:2))) 

(DATA. EQUALITY 
((V  (IN  L  (TO. OF  LIK)  QQ)) 

(Y  D) 

(VI  ( BOTTOM 1  L)))) 

( DATA . S IZ  E . IS . SEQ . LENGTH 
((K  L) 

(I  (TO. OF  L  I  K))))) 


(PR  (IO.A5) 

(RP.D9A 
((K  L) 

(I  (TO. OF  L  I  K)))) 

(RP.L21 
((QQ  *X:9))) 

(RP.L18) 

(RP.L21 
((QQ  *P : 6 ) ) ) 

(RP.D6 
((K  L) 

(I  (TO. OF  L  I  K)) 

(V  ( BOTTOM  1  L)) 

(P  •X:9  ))) 

(RP.D6 
((K  L) 

(I  (TO. OF  LIK)) 

(P  D) 

(V  *X : 7 ) ) ) 

(CARD. 3 

((V. CARD. 3  (BOTTOM!  L)) 

(S  (RESULT  L  (TO. OF  L  I  K))))) 
(RP.L21 


(CARD. 4 

((S  (SAFE. FOR  (DW.OF  I  K)))>) 
(RP.L7 
((?  *X:9))) 

(CARD. INTERSECTION 
((S  (POLL. FOR. OF  I  K)) 

(SI  (SAFE. FOR  (DW.OF  I  K))))> 
(RP.D9A) 
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IV 


Some  Completeness  Results  for  «  Class  of  Inequality  Provers 

fay 

W.  W.  Bledsoe,  Robert  Neveln  and  Robert  Shostak 

Abstract.  A  modified  resolution  procedure,  RCF,  which  uses  a  restricted  form  of 
inequality  chaining  and  variable  elimination  is  proved  to  be  complete,  for  first 
order  logic.  RCF  allows  chaining  only  on  terms  of  the  form  f(t^,...,  tft)  where 
f  is  an  uninstantiated  function  symbol  and  n  >  1.  (E.g.,  we  never  chain  on 

variables.)  Other  results  are  given.  A  prover  using  RCS+,  an  extension  of  RCF, 
has  been  Implemented  and  used  to  prove  several  moderately  difficult  inequality 
theorems,  not  proved  earlier  by  general  purpose  automatic  provers. 


1.  Introduction 


On*  of  the  moat  affective  procedures  used  in  our  inequality  prover  [1]  is 
that  of  variable  elimination,  whereby  a  variable  which  is  "eligible"  (see  below) 
in  a  clause,  can  be  eliminated  from  that  clause.  For  example,  the  clause 

(1)  a^xVx<bVc<d 

can  be  replaced  by  the  clause 

<1')  a  <  b  V  c  <  d 

by  elimination  of  the  variable  x  (assuming  that  x  does  not  occur  in  a,b,c,  or  d) 
Also,  the  variable  x  (which  does  not  occur  in  a,b,  or  c)  can  be  eliminated  from 
the  clause 

(2)  a  *  x  V  b  <  c 

.to  produce  the  clause 

a* 

(2')  b  <  c  . 

In  general,  the  variable  x  (which  does  not  occur  in  ,  or  E)  can  be 

eliminated  from  the  clause 

n  m 

(  V  a  it  x  V  Vx^b  VE) 
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Co  produce 

n  m 

(V  V  *,  <  b,  V  E)  • 

1-1  j-1  1  2 

A  variable  la  eligible  in  a  clause  If  it  does  not  occur  within  the  arguments 
of  an  uninstantiated  function  symbol.  Thus  x  is  eligible  in  (1)  but  not  in  (3). 

(3)  a  it  x  V  x  it  b  V  f  (x)  <  c  , 

because  it  occurs  as  an  argument  of  the  uninstantiated  function  symbol  f.  The 
term  f(x)  is  called  a  shielding  term  because  it  "shields"  the  variable  x, 
thereby  preventing  it  from  being  eligible  in  (3). 

The  principal  objective  of  the  inequality  prover  [1]  is  to  remove  such  shield 
ing  terms,  by  inequality  "chaining"  and  other  procedures  (see  below),  so  that  vari 
ables  can  be  eliminated. 

The  clause 

R  -  (a  <  c  V  El  V  E2)o 

is  said  to  be  a  chain-resolvent  of  clauses 

-  (a  <  b  V  E^)  , 

and 

C2  -  (b'  <  c  V  E2)  , 

if  a  is  the  Mgu  of  {b,b').  We  also  allow  "self-chaining"  whereby  Eo  is 
inferred  from  (b  <  b'  V  E). 


We  will  designate  by  RC  ("resolution  chaining")  a  procedure  which  only  uses 
chaining  (as  described  above)  and  factoring.  RC  was  shown  to  be  complete  by  Slagle  [ 2, : 
(See  also  Lemma  4,  Section  3.)  Unfortunately  RC  alone  is  not  very  powerful  as  a 
prover.  In  order  to  strengthen  RC,  we  have  added  VE  (variable  elimination,  as 
descr.oed  above),  and  have  imposed  restrictions  on  the  chaining  process,  which 
help  control  proof  search  tree. 

Two  such  procedures  are  RCF  and  RCS,  which  are  described  as  follows.  Both 
RCF  and  RCS  use  VE,  and  both  restrict  chaining  as  follows:  Let 


R  =  (a  <  c  V  E1  V  E2^° 


be  the  chain  resolvent  of 


3  (a  <  b  V  E^)  and  *  (b1  <  c  V  E2)  , 


where  a  ®  Mgu(b,b').  We  accept  R  as  an  RCF  chain  resolvent  if 

(1)  all  of  a,b,b',c  are  ground  terms  (and  hence  b*b'),  or 

(2)  b  and  b'  are  both  of  the  form  f(t^  ,  ...»  tn)  where 
f  is  an  uninstantiated  function  symbol,  and  n  >  1. 

And  we  accept  R  as  an  RCS  chain  resolvent,  if  additionally,  in  case  (2),  either  b  or 
is  non-ground,  i.e.,  either  b  or  b'  is  a  shielding  term. 

Other  restrictions  on  RC  include  RCM  and  RC+.  RCM  uses  "multiple  cuts", 
where,  for  example,  two  clauses 


(a<cVb<cVE.) 


c2  -  (c  <  d  V  c  <  e  V  E2) 


are  chained,  in  one  step,  on  both  c's  in  and  both  c's  in  to 

(a  <  d  V  »  <  e  V  b  <  d  v  b  <  e  V  E1  V  E2)  . 

RC+  permits  literals  of  the  form 

a,  +. . .+  a  <b,  +. . .+  b  , 

1  n  —  1  m  ’ 

where  the  a^  and  b^  are  traditional  terms  (with  no  occurrence  of  +) . 
such  literals  are  chained  by  cancelling  like  terms  (after  unification), 
example, 


f (x)  +  a  <  h(x) 

and 

b  <  f (c ) 


are  RC+  chained  to  obtain 


b  +  a  <  h(c)  . 


By  combining  these  restrictions  we  obtain  the  following  diagram 

FCF+ 

^^.RCF - RCS  - RCS+ 

RG 

"XV''RCM -  RGMF -  ROMS  - RCMS  + 


’  RCMF+ 


obtain 


Two 

For 


where  more  restrictive  (stronger)  procedures  are  shown  to  the  right. 
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It  is  the  purpose  of  this  paper  to  prove  that  RCF,  RCF+,  RCM,  RCMF,  and  ROIF+ 
are  complete. 

It  is  conjectured  that  RCS  is  also  complete,  as  well  as  RCS+,  RCMS,  and 
RCMS+. 

RCS+  is  the  procedure  described  in  [1].  But  RCF+,  which  is  proved  complete 
here,  is  equally  as  strong  as  RCS  on  the  examples  given  in  [1).  Since  we  allow 
quantification  and  uninterpreted  function  symbols,  we  can  encode  all  of  first  order 
logic.  For  example,  the  atom  P(x,y)  can  be  written  as 

f(x,y)  <  0 

where  f  is  a  new  uninterpreted  function  symbol  associated  with  P.  Hence  our 
procedures  RC,  RCF,  etc.  are  complete  for  all  of  first  order  logic. 

In  each  of  RCF,  RCS,  RCM,  etc..  It  is  required  that  variable  elimination 
(VE)  be  applied  immediately  when  a  variable  becomes  eligible  in  a  clause  C, 
and  that  C  be  discarded  and  replaced  by  its  VE-resolvent. 

The  reader  might  prefer  to  skip  to  Section  3,  page  19,  and  refer  back 
to  Section  2  as  needed. 
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2.  Definitions  and  Logical  Basis 
2.1.  Axioms  for  total  (linear)  order:  'f 


1. 

x  <1  X 

Anti-reflexive 

2. 

X  <  y  *  y  it  x 

Anti-symmetry 

3. 

x  <  yA  y  <  z  *  x  <  z 

Transitivity 

4. 

y  it  x  A  z  it  y  z  it  x 

It  is  convenient  (but  not  necessary)  to  also  use  the  symbol  where 

a  <  b  is  equivalent  to  b  <  a.  Then  axioms  1-4  can  be  written 

1 .  x  <  x 

2 .  x  <  y  •>  x  <  y 

3.  x<yAy<z->x<z 

4.  x<yAy<z*x<z 

The  axioms  of  1  - 4  are  also  called  the  Inequality  axioms. 

Definition.  Let  S<  be  the  set  of  clauses  corresponding  te  the  inequality  axioms, 

S<  «  (x  <  x,  y  <  x  V  x  <  y,  y<xVz<yVx<z,  y<xVz<yVx<z) 

»' 

2.2.  Interpellation  Axioms:  I 


1. 

Vx  j 

. — . 

X 

V 

2. 

vx  3 

y  .(x  <  y) 

3. 

V  xy 

(x  <  y  >  3  w  (x  < 

w  <  y)) 

4. 

V  xyz 

(x<zAy<z> 

3  w  (x<w<  zAy<w<  z)) 

Using,  these  can  be  expanded  to  include 


vx  ]y  (y  <  x) 

Vx  3  y  (x  <  y) 

Vxy(x<y*J-)w(x<w<y)) 

i 

yxyz  (x<zAy<z*  jw  (x<w<zAy<w<z)) 

V  xyz  (x  <  z  A  y  <  z  f  3  w  (*  <  V  <  2  A  y  <  V<  z)) 

•  •  • 

More  precisely,  let  I,  the  Interpolation  axiom,  be  the  infinite  set 

I  =  {P.  3  a  e  W  3ra€®  13  L 

(L  is  a  function  on  (0,1,.. .,n-l)  x (0, 1, . . .  ,n-l) 
to  (<  ,  <)  A  P  is 

n  m 

Vx  •••x  vy  •••Vm  (A  A  (x.L  ,y.) 

1  n  1  i»l  4=1  1  1J  J 

n  n 

*  3  w  (  A  A  x<L4  4w  a  w  L  ,y,))))  , 
i-1  j=l  1  J  J 

where  W  »  (0,1,2,...). 

Definition.  Let  be  the  (infinite)  set  of  clauses  corresponding  to  I, 

SI  ■  twio(x)  <  x»  wlo(x)  -  x  »  x  <  woi<x)  ‘  x  -  woi(x)  * 

x  <  w11(x,y)  V  y  <  x  ,  x  <  wj^Cx.y)  V  y  <  x  , 

x  <  w11(x,y)  V  y  <  x  ,  x  <  wj^Cx.y)  V  y  <  x  , 

w, .  (x,y)  <  y  V  y  <  x  ,  v'  (x,y)  <  y  V  y  <  x  ,  (continued) 
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x  <  w21(x,y, z)  Vz<xVz<y, 

y  <  w21(x,yfz)  Vz<xVz<y,  . 

w  (xfy,z)  <zVz<xVz<y, 

X  <  V^(«,y,0  Vz<xVz<y  , 
y  <  w^Cx.y,  z)  v  z  <  x  V  z  <  y  , 

xjjfr.y.0  S«vt<*v.<y, 

x  <  w^x.y.z)  Vz<xVz<y, 

)  . 

More  precisely,  let 

sI!a(C:J3neW3®6ll3keW3-ee]N  3L 

(L  is  a  function  on  (0,1, . . .,n-l} x  (0,1 . m-1) 

to  (<,<)Ak<nAKoA 

'C  ‘  (1-1  j!f  V 

vc'(wi  A"  <*iL«3,i)  v  y^Xk>>1  ■ 

The  axioms  for  total  order  plus  the  interpolation  axioms  define  the  theory 
of  dense  linear  order  without  endpoints  [5].  This  theory  is  decidable  [6].  How¬ 
ever,  the  class  of  formulas  we  are  investigating  contains  quantification  and  un¬ 
interpreted  function  symbols  and  hence  is  undecidable  (since  any  formula  in  first 
order  logic  can  be  encoded) . 
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2.3.  Equality  Axioms 


Definition.  If  S  is  a  set  of  clauses  then  S_ 

__________  g 

to  the  equality  axioms  for  S.  (See  [8].) 


is  the  set  of  clauses  corresponding 


Axioms  for  + 

1. 

(x  +y)  +  z  <  x  +  (y  +  z) 

Associativity 

2. 

x  +  (y  +  z)  <  (x  +  y)  +  z 

Associativity 

\ 

3. 

x  +  0  <  x 

Zero 

4. 

x  <  x  +  0 

Zero 

5. 

x  +y  <  y  +x 

Commutativity 

6. 

x+y<  x  +  z->y<  z 

Cancellation 

7. 

x+y<x->-y<0 

Cancellation 

8. 

x  +  y<x>y<0 

Cancellation 

Definition.  Let  S+  be  the  clauses  corresponding  to  the  axioms  for  +  , 

S+  *  { (x  +y)  +  z  <  x  +  (y  +  z)  , 
x+  (y+  z)  <  (x  +y)  +  z  , 
x  +  y  <  y  +  x  , 
x  +  z  <  x  +  y  V  y  <  z  , 
x  +  z  <  x  +  y  V  y  <  z  , 
x  +  0  <  x  , 
x  <  x  +  0  , 


x<x  +  yVy<0, 
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2.5.  Additional  Definitions 

Definition.  Let  S  be  a  set  of  inequality  clauses. 

A  tern  t  is  said  to  be  isolated  in  a  literal  L  of  S  if  t  occurs  in 
L  not  within  the  arguments  of  any  uninterpreted  function  symbol,  t  is  isolated 
in  S  if  it  is  isolated  in  a  literal  of  S. 

Thus  t  is  isolated  in  each  of  t  <  a,  b  <  t+c,  t  <  f(t). 

A  variable  x  is  said  to  be  eligible  in  a  clause  C  (and  in  S)  if  it  is 
isolated  in  C  and  does  not  occur  within  the  arguments  of  an  uninstantiated 
function  symbol . 

A  term  t  is  a  shielding  term  of  a  clause  C  (and  of  S)  if  t  has  the  form 
f (t^  > . . . , 

where  f  is  an  uninstantiated  function  symbol,  and  t  is  isolated  ard  not  ground. 
For  example,  x  is  eligible  and  f(y)  is  a  shielding  term  in  the  clause 

x  +a  <  b  V  f (y)  <  c  . 

t  and  t'  are  called  half  literals  of  the  literals  t  <  t'  and  t  <  t' . 
Definition.  A  set  S  of  inequality  clauses  is  said  to  be: 

RC -unsat is fiable  if  (S  US^)  is  unsatisfiable,  and  we  write  S  f»“*  I  _J  . 

Definition.  If  C  is  an  inequality  clause  of  the  form 

n  m 

V  (a.L!x)  V  V  (xL'lb ,)  V  E  , 
i-1  J-l  J  J 
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where  x  is  a  variable  which  does  not  occur  in  E  or  one  of  the  a^ 
and  for  each  i,j,  is  either  <  or  <,  and  L'j  is  either  <  or 

*  -  ”  ”  <aiLubi)  v  E  • 

l-l  j-1  lJ  J 

is  called  a  VE-resolvent  of  C  upon  x.  where  L^j  is  <  if  both 
are  <,  and  is  <  otherwise. 

Note  that  x  is  eligible  in  C. 

Definition.  If  C  is  an  inequality  clause  of  the  form 
n  m 

V  (a  L!x  +  al)  V  V  (x+blL'Ib  )  +E  , 
l-l  1  1  1  j-i  J  J  J 


where  x  is  a  variable  which  does  not  occur  in  E  or  one  of  the  aj^ 
bj  ,  and  for  each  i,  j,  ,  Lj  e  {<,<},  then 


n  n 

R  -  V  V  (a.  +bl  L  b  +a!)  V  E  , 
i=l  j-1  J  J 


is  called  a  VE+  Resolvent  of  C  upon  x.  where  is  <  if  both 


L'j  are,  and  <  otherwise. 


Definition.  If  and  C2  are  inequality  clauses  of  the  form 


Cx  -  (al'b  V  E1)  , 
C2  -  (b  *  L"c  V  E2)  , 


where  L'  and  L"  are  in  (<,<},  and  b  and  b1  are  unifiable, 
R  »  (ALc  V  Ej  V  E2)o 


i is* 


or  bj  , 

<,  then 

L[  and  L’j 


■  *i-bj  ot 


L|  and 


then 
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is  said  to  be  a  chain  resolvent  of  and  Cj  upon  b  and  b 1 .  where 

a*Mgu(b,b')  and  L  is  <  if  either  of  L'  or  L"  is  <,  and  <  otherwise. 

Definition.  If  C  is  an  inequality  clause  of  the  form 

C  •  (b  <  b'  V  E) 

and  <j=Mgu{b,b'),  then  E a  is  said  to  be  self-chain  resolvent  of  C  upon 
b  and  b 1 .  Ea  is  also  called  a  chain-resolvent  of  C. 

Definition.  If  R  is  a  chain  resolvent  of  and  Cj  upon  b  and  b'  or 

a  self-chain  resolvent  of  C  upon  b  and  b',  and 


(1) 

b 

and 

b'  are  both  ground,  or 

(2) 

b 

and 

b'  both  have  the  form 

f  (t.  , . . . ,  t  ) 
l  n 

where  f  is  an  uninstantiated  function  symbol  with  n  >  1, 
then  R  is  called  an  RCF-chain  resolvent  of  and  C2 

upon  b  and  b',  (or  of  C  upon  b  and  b'). 

Definition.  If  R  is  an  RCF-chain  resolvent  of  and  upon  b  and  b', 

i* 

and  either  b  or  b'  is  a  shielding  term  then  R  is  called  an  RCS -chain 
resolvent  of  and  Cj  upon  b  and  b',  (or  of  C  upon  b  and  b'). 

Definition.  Let  and  C2  be  inequality  clauses  of  the  form 

n 

C.  =»  («L*  S  b.)  V  E  , 

L  i-1  1  1 

m  ■ 

C.  -  (  £  b!  L"  c)  V  E,  , 
j-1  1  1 


fife 


mam 


mi 


i  ‘  i  &<‘i?iJi*-X3&riV$:™&>i& 


where  L',  L"  e  (<,<},  k  e  (1,  ...,n),  t  e  [1, .  ..,mj,  a  »Mgu{b^  ,  b^} ,  and  let 


m  n 

((a  +  Z  L  c+  E  )  V  E.  V  E,)o 
j-1  i-1  1  l 

j  U  i^k 


where  L  Is  <  If  both  L'  and  L"  are,  and  <  otherwise,  and  let  R’  be 
obtained  from  R  by  algebraic  simplification  whereby  like  terms  on  opposite  sides 
of  L  are  cancelled,  (if  all  terms  on  one  side  of  L  are  cancelled  that  side  is 
replaced  by  0) .  Then  R'  Is  called  an  RC+  chain  resolvent  of  and  C2  upon 

the  literals  b^  and  b^  .  Also  (the  self-chaining  case)  if 


n  m 

C  -  (  I  a.  L  E  b  )  V  E  , 
1-1  1  j-1  2 


where  Le  {<,<},  a  -Mgufa^  ,  b£] ,  then 


((  E  a.L  E  b  ) 

1-1  j-1  2 

14k  .  j 42 


E)o  , 


(algebraically  simplified),  is  called  an  RC+  chain  resolvent  of  C  upon  a^  and 


RCF+  and  RCS+  chain  resolvents  are  defined  similarly,  where  the  appropriate 
restrictions  are  maintained  on  b^  ,  b^  and  a^  . 

We  note  that,  in  all  of  these  cases,  we  do  not  chain-resolve  two  clauses  unless 
at  least  one  terra  is  cancelled.  Thus  we  would  not  chain-resolve  a  +  b  <  c  and 
d  +  e  <  f  to  get  a+b+d  +  e  <  c+f,  unless  c  -  d,  c  -  e,  f  -  a,  or  f  -  b .  Also 
when  an  intermediate  resolvent  R  is  obtained  which  is  simplified  to  R'  by 
cancelling  like  terms,  we  keep  only  R'  and  discard  R. 
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Definition.  If  C  it  a  clause  let 


L£(C) 


'<*  if  every  literal  of  C  has  the  predicate  '<'  , 
'<'  otherwise  . 


Definition.  If  C^  and  C2  are  inequality  clauses  of  the  form 


c  »  (  V  a 4L'b  )  V  E  , 
i*l 


where  e  {<,<),  fb^  ,  . . bfl  ,  , . . . ,  b^}  is  unlfiable  with  Mgu  <7,  then 


n  n 


R  -  ((  V  V  a  L  b  )  VE.V  E,)ct 
i-1  j-1  1  J  1  L 


is  called  a  multiple  cut  chain  resolvent  of  and  C2  upon  »  •  •  •»  bn  » 

b' . b'  ,  where  L. .  -  LE(L,  ,  L.) .  It  is  also  called  an  RCM-chain  resolvent  of 

1  m  ij  l  j 

and  C2  .  Also  Self-Chain  Resolvents  are  called  multiple  cut  chain  resolvents, 
or  RCM-chain  resolvents. 

RCMF,  RCMS,  RCMF+,  and  RCMS+  chain  resolvents  are  defined  in  a  similar  way. 
Definition.  Let  C  be  an  inequality  clause, 


C  -  C’  V  D,  C'  -  (a.  <  b  V..  .V  a  <  b  ),  n  >  2  , 

1  1  1  n 


where  <  is  either  <  or  <,  and  let  a  be  a  Mgu  of  {a^  <  b^  ,  . . .,  a^  <  b^}, 
with  the  restriction  that 
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(1)  If  one  of  the  at's  is  a  variable  then  no  can  be  a 

variable  and  a  is  a  Mgu  of  (b^^ . b^),  and 

(2)  if  one  of  the  b^’s  is  a  variable  then  no  a^  can  be  a 

variable  and  a  is  a  Mgu  of  {a^,...,  a^) . 

Then  ((a,  <  b, )  v  D )a  is  called  an  RCS-factor  of  C.  where  <  ■  LEfCi. 

lee  1  “  e  • 

Thus  (a  <  f(a)  V  g(a)  <  c)  is  an  RCS-factor  of  (a  <  f  (x)  V  x  <  f(a)  V 
g(x)  <  c)  but  not  of  (a  <  f(a)  V  x  <  f(a)  V  g(x)  <  c).  That  is,  for  RCS-factors, 
we  do  not  allow  a  variable  to  unify  with  a  (different)  term  unless  that  unification 
is  forced  by  the  unification  of  other  non-variable  terms. 

Definition.  An  RC-factor  is  the  same  as  an  RCS-factor,  except  conditions  (1)  and 
(2)  are  removed. 

Definition. 

FACT (S )  -  S  U  (C'j  2  C  e  S(C'  is  an  RC-factor  of  C)). 

FACT-S(S)  -  S  U  (C * : 3  C  €  S(C'  is  an  RCS-factor  of  C)}. 

■Definition.  If  S  is  a  set  of  inequality  clauses,  then 

RC (S)  -  (R:  3  ci  *  FACT(S)  3  c2  6  *ACT(S) 

(R  is  a  chain  resolvent  of  C^  and  C^,) )  . 

RC°  (S )  -  S  , 

RCn+1(S)  «  U  RC  (RCn (S )  )  ,  n  e  U  , 

RC*  (S)  =  U  RCn(S)  . 
neK 
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Definition.  If  D  c  Rc“ (S)  then  we  write 

s  |-S?  a 

and  say  that  there  is  an  RC -deducting  of  □  from  S  (or  there  is  an  RC-refu- 
tation  of  S). 

Definition.  If  S  is  a  set  of  inequality  clauses,  then 

VE(S)  -  (R:  3  C  c  S  (R  is  a  VE-Resolvent  of  C)) 

US~(Ce  S:  C  has  a  VE-Resolvent), 

VE+(S)  is  defined  similarly, 

RCF(S)  -  VE (S ' ) ,  where 

S’  «  (R:3  ci  «  FACT-S(S)  2  C2  e  FACT-S(S) 

(R  is  a  RCF- chain  resolvent  of  and  C2)} 

RCS(S)  -  VE(S'),  where 

S'  ■  (R?3  c!  «  FACT-S (S>  3  C2  e  FACT-S(S) 

(R  is  a  RCS-chain  resolvent  of  and  C2>) 

etc.  for  RCF+(S),  RCM(S),  RCMF(S),  RCMS(S),  RCMF+(S),  and  (RMS+(S),  except 
that  FACT(S)  is  used  in  the  definition  of  RCM(S)  (only). 

Note  that  variable  elimination  is  applied  immediately  to  a  new  resolvent  R, 
when  it  has  an  eligible  variable,  and  R  is  discarded  and  replaced  by  its  VE- 


reaolvent. 


Definition 


I 


l: 

i 
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Definition. 


RCF°(S)  -  S  , 

RCFn+1(S)  »  RCFn(S)  U  RCF<RCFn(S))  , 

RCF”(S)  -  U  RCFn(S)  . 
neW 


Similarly  for 
Definition. 

S 


RCS"(S),...,RCMS+'0(S). 

If  Q  e  RCF  (S)  we  write 

(  RCF 

1 -  □ 


and  say  that  there  is  an  RCF -deduction  of  C  from  S.  Similarly  for 


S 


I  RCF 


0 


s 


RCMS-i- 


□ 


fl 


I 

i 

4 

.a 
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3.1.  Rcr  Completeness 


3.  Completeness  Results 


Lemma  1.  If  S  is  a  set  of  inequality  clauses,  oS  is  ground,  S  is  not 
ground,  and  S  has  no  eligible  variables,  then  S  contains  a  shielding  term  t 
for  which  to  4  xo  for  all  isolated  variables  x  in  S. 

Proof.  If  S  has  no  isolated  variable  we  are  finished.  So  let 

x^  be  an  isolated  variable  in  clause  , 
f^(x^)  be  a  shielding  term  in  (since  x^  is 
not  eligible,  by  hypothesis)  . 

Now  if  f^(x^)o  j  Vcr  for  each  isolated  variable  V  in  S,  we  are  finished.  So 
suppose  that 

f^(x^)o  =  x2cr  for  some  isolated  variable  in  clause  C2  , 
f2(*2>  ia  a  shielding  term  in  C2  , 


x  is  an  isolated  variable  in  clause  C 
n  n 

f  ,  (x  ,  jo  ■  x  a  , 
n-1  n-1  n 

f  (x  )  is  a  shielding  term  in  C 
n  n  n 


If  this  were  the  case  then  we  would  have 


f1(x1)/x2  ,  f2(x2)/x3’--"  fn(xn)/xn+l’-** 

or 


f  f  .  f  .  . . .  f  f,  (x.  )/x  . 

n  n-1  n-2  211  n+1 


.  j 
*  i 

i  l 

1  n 

i  1 


^  ^  .  .  ipy-  -r. ■  Ur" ~  ? 
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But  <j  has  finite  depth,  so  this  process  has  to  terminate.  It  can  only  terminate 
if  one  of  the  x^  is  eligible,  or  if  one  of  the  f^(x^)  such  that 

.  £i(xi)cr  +  xa 

for  any  isolated  variable  x  in  S . 

Q.E.D. 

Lemma  2.  If  S  is  an  RC-unsatisfiable  set  of  ground  clauses,  and  c  is  a 
half  literal  of  S  (i.e.,  c  <  d,  d  <  c,  c  <  d,  or  d  <  c  is  in  S,  for  some  d), 

then  there  is  an  RC-refutation  D  of  S  for  which  any  chaining  on  terms  other 

than  c  is  done  on  clauses  not  containing  c  (as  a  half  literal). 

(That  is,  all  chainings  on  c  are  done  first,  and  then  only  clauses  not  con¬ 
taining  c  are  retained  for  the  remainder  of  the  refutation.) 

proof.  The  proof  is  by  induction  on  the  excess  literal  parameter  k(S). 

Case  1.  k(S)  ■  -1.  Then  □  €  S  and  we  are  finished. 

Case  2.  k(S)  ■  0  ,  •  Q^S. 

In  this  case  the  clauses  of  S  are  all  units  and  by  Lemma  2,  Appendix  I, 

S  contains  a  sequence  of  unit  clauses 


*1  1  *2  : 


a  ,  <  a 
n-1  .  n 


The  excess  literal  parameter  k(S)  is  defined  as 


k(S)  -  (  Z  |cj)  -|st  . 

CeS 

That  is  k(S)  is  the  total  number  of  occurrances  of  literals  minus  the  number 
of  clauses  in  S . 
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where  each  <  is  either  <  or  <  and  at  least  one  of  the  <  is  <  . 

•  "*  i 

If  any  of  the  a^  are  c's,  then  they  can  be  chained  upon  first.  . 

Case  3.  (Induction  Step) 

Suppose  k(S)  ■  n,  n  >  1,  and  that  for  each  set  S'  of  ground  clauses  which 
is  RC-unsatisfiable  and  for  which  k(S  )  -  n,  there  is  an  RC-refutation  D'  of 
S '  for  which  any  chaining  on  a  term  other  than  c  is  done  on  clauses  not  con¬ 
taining  c  (as  a  half  literal). 

Then  S  has  at  least  one  non-unit  clause  C  (since  k(S)  >  0).  Let 
C  -  C'  V  L 

where  C1  is  a  clause  and  L  is  a  unit  clause.  Let 
SQ  -  S  ~  (C)  , 

s1  -  s0  u  {c'3  ,  S2  -  s0  U  CL)  . 

Then  S^  and  S2  sub  some  S  and  hence  are  RC-unsatisfiable.  Also  k(S^)  <  n, 
k(S2)  <  n,  and  hence  by  the  induction  hypothesis,  there  are  RC-refutations  0^ 
and  Z>2  of  S^  and  S2  ,  respectively,  for  which  any  chaining  on  terms  other 

than  c  is  done  on  clauses  not  contain  c. 

•* 

Let  0^  be  the  first  part  of  0^  in  which  chaining  is  done  only  on  c, 

and  0^2  be  the  rest  of  0^  (the  last  part  of  0^) .  And  let  S|  be  a  set  of 

resolutents  produced  by  0^  which  do  not  contain  c  (as  a  half  literal),  but 
such  that  0^2  produces  D  from  . 
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SQ  U  Cc’ }  SQ  U  {L} 

BU  ^  C2 

Si  D 

V 

0 

(  ’■ 

Now  build  0  out  of  0^  ,  ,  and  63  follows: 

Let  0^^  be  the  same  as  0^  except  that  C'  is  replaced  by  C  (and  some 
descendents  of  C'  have  the  additional  literal  L),  and  let  Sq  be  produced  by 

from  S  (similarly  as  is  produced  by  0^  from  S^). 

For  each  clause  E  in  Sj  ,  we  have  by  Lemma  1,  Appendix  I,  that  either 

E  or  (E  V  L)  is  in  Sq  .  For  each  such  (E  V  L)  in  Sq  f  let  be  the 

same  as  0 ^  except  that  L  is  replaced  by  (E  V  L)  and  some  descendents  of 
(E  V  L)  have  additional  literals  from  E.  Thus  0g  when  applied  to  Sq  U  (E  VL) 
will  produce  a  clause  E'  which  subsumes  E.  (By  Lemma  1,  Appendix  I). 

By  applying  such  a  deducting  0g  to  each  such  (E  V  L)  in  Sq  ,  we  obtain 

from  (SqUSq)  a  set  of  clauses  which  subsumes  S|  .  And  then  we  apply  0^ 

to  S^'  to  obtain  Q  . 

0  is  made  up  of  0q^  ,  several  of  the  O^’s,  and  0^  • 
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f 


S0  u  (c) 

U'  D01 


s 1 

so 


u  s. 


^  ||  CE2  “*||  °En 


0 


r  » 


Since  Dq1  consists  of  chainings  only  on  c,  since  the  first  part  of 

consists  of  chainings  only  on  c  for  each  1,  since  the  D  are  done  In 

Ei 

parallel,  and  since  D12  chains  only  on  clauses  not  containing  c,  it  follows 
that  D  has  the  desired  properties. 


Q.E.D. 


A  different  proof  of  Lemma  2,  due  to  Ken  Kunen,  is  given  in  Appendix  II. 

Lemma  3.  If  S'  is  an  RC-unsatisfiable  set  of  clauses  (S  may  contain  more 
than  one  variant  of  a  particular  clause).  So  is  ground  and  RC-unsatisfiable, 
t  is  a  half  literal  of  S, 

9  -  (t1:  t'  is  a  half  literal  of  S  and  t'o  ■  to)  , 

then  there  is  an  RC-deduction  D1  of  a  set  S'  from  S  for  which 

(1)  each  step  in  D1  is  a  chaining  on  a  member  of  9, 

(2)  S'  contains  no  member  of  9  as  a  half ' literal, 

(3)  S'o  (and  therefore  S')  is  RC-unsatisfiable. 


S23B 
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Proof.  Apply  Lenina  2  to  So,  with  to  for  c,  to  obtain  an  RC-refutation 
D"  of  So  for  which  any  chaining  on  terms  other  than  to  is  done  on  clauses 
not  containing  to  (as  a  half  literal) . 

Let  S"  be  the  clauses  obtained  by  D"  on  So  where  only  chainings  on  to 
are  done,  and  let  Sq  be  those  clauses  of  S"USo  not  containing  to  (as  a  half 
literal).  Since  any  chaining  on  terms  other  than  to  is  done  on  clauses  not 
containing  to,  it  follows  that  D"  is  an  RC-refutation  of  S^  . 

D'  is  obtained  from  D"  and  S'  from  Sq  by  lifting.  Conclusions  (1), 

(2)  and  (3)  follow  immediately. 

Lemma  4.  (RC-completeness  Theorem) 

If  S  is  an  RC -unsat is f lab le  set  of  clauses  ther  .nere  is  an  RC-deduction 
of  □  from  S. 

Proof.  Let  S'  be  an  RC-unsatisfiable  set  of  ground  instances  of  S.  Then  by 
Lemma  2  there  is  an  RC-refutation  D  of  S'.  Lifting  D  gives  the  desired  con¬ 
clusion. 


Remark.  The  deductions  provided  by  Leninas  2  and  4  may  employ  tautologies,  as  the 
following  example  shows . 


Example 


1. 

b  <  a 

c  <  a  d  <  a 

2. 

a  <  b 

c.  <  c  a  <  d 

3. 

c  <  b 

4. 

b  <  c 

5. 

d  <  b 

• 

6. 

b  <  d 
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Notice  that  each  chaining  on  S  results  in  a  tautology.  To  show  that  S 
is  RC-unsatisfiable,  the  iollowing  deduction  (using  tautologies)  is  given. 


7. 

c  <  a 

d  <  a 

A 

< 

c 

a  < 

d 

1,2 

8. 

c  <  a 

d  <  a 

b 

< 

c 

a  < 

d 

1,7 

9. 

c  <  a 

d  <  a 

b 

< 

c 

b  < 

d 

1,8 

10. 

c  <  b 

d  <  a 

b 

< 

c 

b  < 

d 

a 

< 

c 

a 

< 

d 

9,2 

11. 

c  <  b 

d  <  a 

b 

< 

c 

b  < 

d 

a 

< 

d 

9,10 

12. 

c  <  d 

d  <  a 

b 

< 

c 

b  < 

d 

c 

< 

d 

9,11 

13. 

c  <  b 

d  <  b 

b 

< 

c 

b  < 

d 

c 

< 

d 

a 

< 

c 

a  <  d 

12,2 

14. 

c  <  b 

d  <  b 

b 

< 

c 

b  < 

d 

c 

< 

d 

d 

< 

c 

a  <  d 

12,13 

15. 

c  <  b 

d  <  b 

b 

< 

c 

b  < 

d 

c 

< 

d 

d 

< 

c 

12,14 

16. 

c  <  d 

3,6 

*■  "7 

■ 

d  <  c 

5,4 

18. 

□  . 

15,4,6,3,5,17,16 

The  use  of  tautologies  in  RC  proofs  can  be  avoided  if  we  use  "multiple  cuts" 
whereby  for  example  clauses  1  and  2  above  produce  in  one  step  the  clause  15,  and 
intermediate  clau&es  7-14  are  not  produced  or  retained.  See  [9]. 

•* 

Lemma  5.  If  S  is  an  RC-unsatisfiable  set  of  clauses.  So  is  ground  and 
RC-unsatisfiable,  C  e  S,  x  is  a  variable, 
n  m 

C  »  (  V  x  <  a.  V  Vb.OiVE) 

i-1  j-1  J 

where  x  does  not  occur  in  a^  ,  b^  or  E,  then 
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n  n 

S'  =  S  ~  (C)  U  {  V  V  b  <  a.  V  E) 
i-1  j-1  J 

is  RC-unsatisfiable,  and  S'o  is  RC-unsatisfiable.  Also  the  shielding  terms  of 
S'  are  those  of  S.  (A  similar  theorem  holds  when  some  or  all  of  the  '  <  '  in 
C  are  replaced  by  ' <  ' ,  and  appropriate  changes  are  made  in  S'.) 

Proof.  Let 

n  m 

C'  -  (  V  V  b,  <  a.  V  E)  , 
i-1  j-1  J  1 

SQ  -  S  ~  (C)  . 

We  must  show  that  (SqU{C'))o  is  unsatisf iable.  We  will  show  that  any  model  for 
(SqU{C'])c  is  a  model  for  So  ■  (Sq  U  (C)  )o  . 

Suppose  M  is  a  model  for  (SqU{C’))o.  If  M  is  a  model  for  Eo  then 
M  is  a  model  for  Co  and  we  are  through.  Otherwise  M  is  a  model  for 
(bjO  <  a^o),  for  some  i,  j . 

If  M  is  already  defined  on  (xo  <  a^o)  and  (b^o  <  xo),  then,  since 
(bjO  <  a^o)  is  TRUE  under  M,  it  follows  that  either  (xo  <  a^o)  or 
(bjO  <  xo)  is  TRUE  under  M.  If  M  is  not  defined  on  these  two  literals,  we 
arbitrarily  define  it  to  be  TRUE  on  the  first  and  FALSE  on  the  second  (or  vice  versa). 

a* 

In  either  case  M  is  a  model  for  Co  and  is  therefore  a  model  for  So. 

Clearly  the  shielding  terms  of  S'  are  those  of  S. 

Q.E.D. 

Lemma  6.  If  S  is  an  RC-unsatisf iable  set  of  clai’ses  then  there  exists  a 
set  S^  of  variants  of  S  and  a  substitution  o  such  that  S^cr  is  ground  and 


RC-unsatisfiable. 
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Theorem  1.  If  S  la  an  RC-unsatisfiable  set  of  clauses  then  there  is  an  RCF* 
refutation  of  S. 


Proof.  By  Lemma  6  there  is  a  set  of  variants)  of  S  and  a  substitution  o 

for  which  S^c  is  ground  and  RC-unsatisfiable.  WLOG  assume  that  S  has  no 


eligible  variable. 

Recursively  define  ,  S3 
If  is  ground,  halt. 


as  follows: 


If  is  ground,  halt. 


If  is  not  ground,  use  Lemma  1  to  select  a  shielding  term  t  from 

for  which  ot^ox  for  any  isolated  variable  x  in  ,  and  let 


ff  -  {t's  t'a»t(j  A  t'  is  a  half  literal  of  , 


and  use  Lemma  3  to  obtain  an  RC-deduction  of  a  set  from  for  which 

•each  step  in  is  a  chaining  on  a  member  of  V,  contains  no  member  of  V, 

(as  a  half  literal),  and  S|+1  and  are  RC-unsatisfiable.  Let  S^+1  *  VE(Sj^) . 

We  observe  that  variable  elimination  (i.e.,  the  use  of  Lenana  4)  on  a  set  S' 
does  not  increase  the  number  of  half  literals  in  S'o.  Furthermore,  in  applying 
Lemma  3,  the  half  literals  of  are  a  subset  of  those  of  ,  and  to  is 

a  half  literal  of  S^o  but  not  S^o.  So  the  use  of  Lenina  3  steadily  decreases 
the  number  of  half  literals  in  S^o.  Therefore  the  sequence,  ,  Sj  ,  ...t  must 
terminate  in  an  RC-unsatisfiable  ground  set  S  .  Let  t)r  be  the  RCF-refutation 

u  Vj 

of  S„  . 

U 


88 


Since  the  shielding  term  chosen  by  Lenina  1  is  such  that 
ta  +  xa 

for  any  variable  x,  it  follows  that  if  ter  «  t'a,  then  t  and  t'  have  the 
form 

* * • • •»  cn) 

where  f  is  an  uninstantiated  function  symbol,  and  therefore  each  member  of 
has  this  form.  And  since  chains  only  on  members  of  V  it  follows  that  each 

of  the  steps  of  produces  an  RCF -resolvent. 

Since  variable  elimination  steps  are  also  RCF-steps  it  would  appear  that 
and  Dl^  together  form  a  RCF -deduction  of  from  S.  .  But  in  the  definition 

of  RCFn(S)  we  required  that  variable  elimination  be  applied  on  a  resolvent 
immediately  when  it  is  produced  (if  it  has  an  eligible  variable),  so  we  cannot 
follow  by  Dj  ,  but  must  intermingle  the  two,  by  reording  the  VE  and  RCF 

steps.  In  particular,  by  [11],  there  is  an  RCF-deduction  of  S^  from 

S^ ,  for  each  i,  i*l,n-l. 

And  by  putting  together  the  deductions 


D1  ‘  D2  ’  ‘  *  *  *  Dn-1  *  CG  * 
we  obtain  an  RCF-refutation  of  S. 

Theorem  2.  (RCF  Completeness  Theorem) 

Let 

S  be  a  set  of  inequality  clauses, 

S^  be  the  set  of  clauses  for  the  inequality  axioms, 

Sj  be  the  set  of  clauses  for  the  interpolation  axioms, 


Q.E.D. 


TT 
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and  suppose  (SUS^US^)  is  unsatlsfiable.  Then  there  is  an  RCF-deductlon  of 
from  S. 

proof.  By  definition  (SUS^)  is  RC-unsatisf table.  Thus  by  Theorem  1  there  is 
an  RCF -deduction  D  of  from  (SUSj).  But  no  clause  of  Sj  can  be  a  part  of 
a  (productive)  step  in  J),  so  D  is  an  RCF-deduction  of  Q  from  S. 

To  see  why  a  clause  of  Sj  cannot  be  part  of  a  (productive)  step  In  D, 
recall  that  Sj  is  the  set  of  clauses 


n  n 


\  S  %,(*! . V  *1 . V  v  ^  Vfi  <  V 

. V  yl . ym>  S.  yi  V  ^  ■=  V 

k  »  l,n  ;  i  ■  1  ,  m;  n  >  0  *,  m  >  0  , 


together  with  similar  clauses  when  <  and  <  are  interchanged.  j 

Consider  the  case  when  n  =  l,  ra-  1.  j 

■a 

\ 

■  (x  <  w(x,y)  v  y  <  x)  j 

CI2  -  (w(x,y)  <  y  V  y  <  x)  ' 

a* 

(we  have  dropped  the  subscript  on  w).  Since  the  symbol  'w'  occurs  only  in 

J 

,  a 

Cl,  and  Cl.  and  nowhere  else  in  S,  it  follows  that  no  chaining  on  w(x,y)  ? 

1  2  i 

with  another  clause  in  S  is  allowed  in  D,  because  it  would  have  to  match  a 
variable.  And  chaining  CIj^  with  CI2  would  produce  the  tautology 
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which  again  cannot  be  used  in  any  step  of  D  since  matching  on  variables  is  forbidden. 
Hence  CI^  and  CI2  are  not  used  in  a  productive  way  in  D  and  can  be  removed  from 
S  USj  •  Similarly  other  members  of  Sj  can  be  removed. 

Q.E.D. 

Lemma  7 .  If 

S  is  a  set  of  inequality  and  equality  clauses, 

S^,  is  the  set  of  .’ausea  for  the  inequality  axioms, 

S"  is  obtained  from  S  by  replacing  each  literal  of 
the  form  (a«b)  by  (a  <  bAb  <  a)  and  reclausing 
if  necessary, 

and  S  is  unsatisflable,  then  (S"US<)  is  RC-unsatisflable. 

Proof.  The  following  is  a  partial  sketch  of  the  proof  for  the  ground  case.  Lifting 
gives  the  general  case. 

Suppose  two  clauses 

-  (a  -  b  V  Ex) 

C2  -  (a  J  b  V  E2) 

. 

in  S  are  resolved  to  obtain 

R  ■  (E1  V  E2)  . 

If  and  Cj,  have  no  other  "  »  "  symbol  then  is  converted  to  the  two  clauses 
in  S’\ 

Clfl  -  (a  <  b  V  Et) 

Cl  2  -  (b  <  a  V  E1) 
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and  C2  la  converted  to 

-  (a  <  b  V  b  <  a  V  E2)  . 

RC -chaining  1  and  2  with  C2  Sivea  R. 

Theorem  3.  Let 

S  be  a  set  o£  Inequality  and  equality  clauses, 

be  the  set  of  clauses  for  the  Inequality  axioms, 

Sg  be  the  set  of  clauses  for  the  equality  axioms 
for  the  sets  S, 

Sj  be  the  set  of  clauses  for  the  interpolation  axioms, 

S'  be  obtained  from  S  US£  by  replacing  each  literal 
a-b  by  (a  <  b  A  b  <  a)  and  reclausing  if  necessary, 

and  suppose  (SUS^US^)  is  E-unsatisfiable,  and  S  ns^  ■  0.  Then  there  is  an 
RCF-deduction  of  0  from  S 1 . 

Proof.  In  this  proof  we  use  the  following  notation:  For  any  set  U  of  Inequality 
and  equality  clauses, 

•* 

Ug  is  the  set  of  clauses  for  the  equality  axioms  for  U, 

U"  is  obtained  from  U  by  replacing  each  literal  of  the  form 
a»b  by  (a  <  b  A  b  <  a)  and  reclausing  if  necessary. 

Thus,  in  the  above,  S’  *  S"  US"  ,  and  we  must  show  that  there  is  an  RCF-deduction 

£ 

of  Q  from  S"  U  Sg  . 
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We  first  give  an  outline  of  the  proof: 


i 

F 


S  U  S<  U  Sj.  is  E-unsatisfiable 


Reference  [8] 


(Hypothesis  of  Theorem  3) 


%:■ 


I  ; 

fr  i 


s 

t 

i" 


S  U  S  U  ST  U  S_  u  S__  is  unsatisfiable 
<  1  E  IE 


Lemma  7 


S"  U  S<  U  Sj,  U  U  S^E  is  RC-unsatisfiable 


(Note  -  S<  ,  S“  *  Sj) 


Theorem  2  (with  S"  U  S"  U  S''  for  S) 

E  IE 


There  is  an  RCF-deduction  of  D  from  (S"  U  U  S^E) 


See  below. 


There  is  an  RCF-deduction  of  D  from  (S"  U  S")  . 

E 


The  last  step  follows  because  if  D  is  an  RCF-deduction  of  Q  from 
S"  U  S"  'J  S''  then  we  can  omit  from  D  those  steps  involving  S’’  .  Because 

E  IE  IE 

S’’  has  only  clauses  of  the  form 
IE 


cn  '  *i  <  v  *i  <  *1  v---v  ym  <  ^  V  ya  <  ym 


'V<*1 . xn  ’  yl . ym>  S  '>_<*{ . *;  •  yi . y;>  ■ 


(and  similar  clauses,  see  Section  2),  and  since  the  symbol  "vTm"  does  not  occur 
in  S"  U  Sg  ,  no  RCF  step  can  use  unless  C^.  is  chained  with  itself. 
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But  such  a  chaining  only  produces  a  RCF-resolvent 

*1  <  *i  v--vym<y; 

v  . V  *  "na^l . *«> 

00 

which  can  again  only  be  used  against  members  of  RCF  (S'^,) .  So  no  interaction 
with  S"  U  Sg  is  possible. 

3.2.  RCF+  Completeness 

Lenma  9  (Ground  unit  Rv f  Completeness).  If  S  is  an  RC+  unsatisfiable  set 
of  grrund  unit  clauses,  then  th.'.re  is  an  RC+  deduction  of  Q  from  S. 

This  follows  essentially  from  a  consistency  criterion  used  in  linear  pro¬ 
gramming.  See  [10].  Also  see  Lemma  3,  Appendix  I. 
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Lemma  10.  If  S  is  an  RC+  unsatisfiable  set  of  ground  unit  clauses,  and  c 
* 

is  an  isolated  term  of  S,  then  there  is  an  RC+  refutation  D  of  S  , for, which 
any  chaining  on  terms  other  than  c  is  done  on  clauses  not  containing  c  (as  an 
Isolated  term) . 

Proof.  Use  Lemma  9. 

Lemma  11.  (Like  Lemma  2)  If  S  is  an  RC+  unsatisfiable  set  of  ground 
clauses,  and  c  is  an  isolated  term  of  S,  then  there  is  an  RC+  refutation  D 
of  S  for  which  any  chaining  on  terms  other  than  c  is  done  on  clauses  not 
containing  c  (as  an  isolated  term) . 

Proof.  The  proof  is  by  induction  on  the  excess  literal  parameter  k(S). 

Case  1.  k(S)  »  -1.  Then  0  e  S. 

Case  2.  k(S)  =«  0,  Q  d  S. 

In  this  case  the  clauses  of  S  are  ground  unit  clauses,  and  the  desired 
result  follows  from  Lemma  10. 

Case  3.  (Induction  Step)  The  proof  of  this  case  follows  exactly  as  the  proof  of 

»* 

Case  3  in  Lemma  2,  except  the  expression  "half  literal"  is  replaced  by  "Isolated 
term" . 


Recall  that  a  term  is  isolated  if  it  occurs  not  within  the  arguments  of  any 
uninstantiated  function  symbol.  E.g.,  t  <  a,  t  +  a  <  b,  a  +  t+b  <  c,  etc. 
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Lomma  12.  (Like  Lemma  3)  If  S  is  an  RC+  unsatisfiable  set  of  clauses, 

So  is  ground  and  RC+  unsatisfiable,  t  is  an  isolated  term  of  S, 

If  •  {t':  t  is  an  isolated  term  of  S  and  t'o®  to)  , 

then  there  is  an  RC+  deduction  D'  of  a  set  S'  from  S  for  which 

(1)  each  step  in  O'  is  a  chaining  on  a  member  of  V, 

(2)  S'  contains  no  member  of  9  (as  an  isolated  term), 

(3)  S'o  (and  therefore  S)  is  RC+  unsatisfiable. 

Proof.  Similar  to  that  of  Lemma  3. 

Lemma  13.  (Like  Lemma  5)  If  S  is  an  RC+  unsatisfiable  set  of  clauses, 

C  e  S,  x  Is  an  eligible  variable  in  C,  and  R  is  a  VE+  Resolvent  of  G  upon 
x,  then  S~{C)  U  (R)  is  RC+  unsatisfiable. 

Proof.  The  proof  is  similar  to  that  of  Lemma  5. 

.Theorem  4.  If  S  is  an  RC+  unsatisfiable  set  of  clauses  then  there  is  an  RCF+ 
refutation  of  S. 

i* 

Proof.  Very  much  like  that  of  Theorem  1. 
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APPENDIX  Theorem  Prover  Listing 

The  following  is  an  exoerpt  from  the  Interlisp  implementation  of 
the  experimental  theorem  prover  developed  during  the  second  year  of 
the  projeot.  The  excerpt  exhibits  the  main  procedures  in  part  of  the 
theorem  prover  that  reduoes  propositional  structure. 


(PROVE 

(LAMBDA  (FORM) 

(NEW. CONTEXT  (AND. SIMP  (LIST  FORM))))) 

(NEW. CONTEXT 
(NLAMBDA  (X) 

(PROG  (< SIGNATURE. ALIST  SIGNATURE. ALIST) 
(FIND.PTR.ALIST  FIND.PTR. ALIST) 
(USE. ALIST  USE. ALIST) 

(INEQLIST  (APPEND  INEQLIST)) 

(IF. ALIST  IF. ALIST)) 

(RETURN  (EVAL  X))))) 


(AND. SIMP 

(LAMBDA  (STACK  SUBGOALS  FAST.FLG)  (•  edited: 

"19-Feb-81  21:02") 

(PROG  ((DEFER. POT  (CONS  NIL  (AND  SUBGOALS  (APPEND  SUBGOALS)))) 
EXP  SINGLE  ADD.ELEM  NOT. EXP) 

TOP  (while  STACK 
do 

( ( SETQ  EXP  (CAR  STACK)) 

(COND 

((ATOM  EXP) 

(SELECTQ  EXP 

(TRUE  (SETQ  STACK  (CDR  STACK))) 

(FALSE  (RETFROM  (QUOTE  NEW. CONTEXT) 
(QUOTE  TALSE))) 

(PR0G2  (OR  (ADD.EQ  (LIST  (QUOTE  EQUAL) 

(QUOTE  TRUE) 
EXP)) 

(SETQ  SINGLE 
(COND 

(SINGLE  (QUOTE  FALSE)) 
(T  EXP)))) 

(SETQ  STACK  (CDR  STACK))))) 

(T 

(SELECTQ 
(CAR  EXP) 

(NOT 

(SETQ  NOT. EXP  (CADR  EXP)) 

(COND 

((ATOM  NOT. EXP) 

(SELECTQ 
NOT. EXP 

(TRUE  (RETFROM  (QUOTE  NEW. CONTEXT) 


(QUOTE  FALSE))) 

(FALSE  (SETQ  STACK  (CDR  STACK))) 

(PROG2  (OR  (ADD.EQ  (LIST  (QUOTE  EQUAL) 

(QUOTE  FALSE) 
MOT. EXP)) 

(SETQ  SINGLE 
( JOND 

(SINGLE  (QUOTE  FALSE)) 
(T  EXP)))) 

(SETQ  STACK  (CDR  STACK))) ^) 


(3ELECTQ 

(CAR  NOT. EXP) 

(NOT  (SETQ  STACK  (CONS  (CADR  NOT. EXP) 

(CDR  STACK)))) 

(AND 

(COND 

((CDR  NOT. EXP) 

(RPLACD 
DEFER. POT 
(CONS 
(CONS 

(QUOTE  OR) 

(for  ARG  in  (CDR  NOT. EXP) 
oolleot 

(LIST  (QUOTE  NOT) 
ARG))) 

(CDR  DEFER. POT))) 

(SETQ  STACK  (CDR  STACK))) 

(T  (RETFROM  (QUOTE  NEW. CONTEXT) 
(QUOTE' FALSE))))) 

(Oh 
(COND 

((CDR  NOT . EXP ) 

(SETQ  STACK 

(NCONC  (for  ARG 

in  (CDR  NOT. EXP) 


oolleot 

(LIST  (QUOTE  NOT) 
ARG)) 

(CDR  STACK)))) 

(T  (SETQ  STACK  (CDR  STACK))))) 
(IMPLIES 
(SETQ  STACK 

(CONS  (CADR  NOT. EXP) 

(CONS  (LIST  (QUOTE  NOT) 

(CADDR  NOT. EXP)) 
(CDR  STACK))))) 

(IF 

(RPLACD 
DEFER. POT 

(CONS  (LIST  (QUOTE  IF) 

(CADR  NOT. EXP) 

(LIST  (QUOTE  NOT) 
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)) 


( CADDR  NOT. EXP)) 

(LIST  (QUOTE  NOT) 

(CADDDR  NOT. EXP))) 
(COR  DEFER. POT))) 

(SETQ  STACK  (COR  STACK))) 

(IF. OBJ  (SETQ  IF.ALI3T 

(CONS  (CADR  NOT. EXP) 

IF.ALIST)) 

(SETQ  STACK 

(CONS  (LIST  (QUOTE  NOT) 

(CADDR  NOT. EXP)) 

(COR  STACK)))) 

(IFF 
(RPLACD 
DEFER. POT 
(CONS 

(LIST  (QUOTE  OR) 

(LIST  (QUOTE  AND) 

(CADR  NOT. EXP) 

(LIST  (QUOTE  NOT) 

(CADDR  NOT. EXP))) 
(LIST  (QUOTE  AND) 

(CADDR  NOT. EXP) 

(LIST  (QUOTE  NOT) 

(CADR  NOT. EXP) ) ) ) 

(CDR  DEFER. POT))) 

(SETQ  STACK  (CDR  STACK))) 

(SELECTQ  (.SETQ  ADD.ELEM  (ADD.ELEM.REL 
NOT. EXP  T)) 

(NIL  (SETQ  STACK  (CDR  STACK)) 

(SETQ  SINGLE 
(COND 

(SINGLE  (QUOTE  FALSE)) 

(T  EXP)))) 

(T  (SETQ  STACK  (CDR  STACK))) 

(SETQ  STACK  (CONS  ADD.ELEM 

(CDR  STACK)))))) 


(AND  (SETQ  STACK  (APPEND  (CDR  EXP) 

(CDR  STACK)))) 

(OR  (COND 

((CDR  EXP) 

(RPLAC)  DEFER. POT  (CCNS  EXP  (CDR  DEFER. POT) 


))> 


(T  (RETFROM  (QUOTE  NEW. CONTEXT) 
(QUOTE  FALSE)))) 
(SETQ  STACK  (CDR  STACK))) 


(IMPLIES  (RPLACD 

DEFER. POT 

(CONS  (LIST  (QUOTE  OR) 

(LIST  (QUOTE  NOT) 
(CADR  EXP)) 
(CADDR  EXP)) 

(CDR  DEFER. POT))) 
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(3ETQ  STACK  (CDR  STACK))) 

(IF  (RPLACD  DEFER. POT  (CONS  EXP  (CDR  DEFER. POT))) 
(SETQ  STACK  (CDR  STACK))) 

(IF. OBJ  (SETQ  IF.ALXST  (CONS  (CADR  EXP) 

IF.ALIST)) 

(SETQ  STACK  (CONS  ( CADDR  EXP) 

(CDR  STACK)))) 

(IFF  (SETQ  STACK 

(CONS  (LIST  (QUOTE  AND) 

(LIST  (QUOTE  IMPLIES) 

(CADR  EXP) 

(CADDR  EXP)) 

(LIST  (QUOTE  IMPLIES) 

(CADDR  EXP) 

(CADR  EXP))) 

(CDR  STACK)))) 

(SELECTQ  (SETQ  ADD.ELEM  (ADD.ELEK.REL  EXP)) 

(NIL  (SETQ  SINGLE  (COND 

(SINGLE  (QUOTE  FALSE)) 

(T  EXP))) 

(SETQ  STACK  (CDR  STACK))) 

(T  (SETQ  STACK  (CDR  STACK))) 

(SETQ  STACK  (CONS  ADD.ELEM  (CDR  STACK))))) 

)))) 

(COND 

((CDR  DEFER. POT) 

( FAST . ITERATE  DEFER . POT ) 

(COND 

(STACK  (GO  TOP)) 

(FAST.FLG) 

((CDR  DEFER. POT) 

( SLOW . ITERATE  DEFER . POT ) 

(COND 

(STACK  (GO  TOP)) 

((CDDR  DEFER. POT) 

(SPLIT. F.ECURSE  (CDR  DEFER. POT)) 

(RPLACD  DEFER. POT) 

(AND  STACK  (GO  TOP)))))))) 

(RETURN  (COND 

(SINGLE  (COND 

((OR  (EQ  SINGLE  (QUOTE  FALSE)) 

(CDR  DEFER. POT)) 

NIL) 

(T  SINGLE))) 

((CDR  DEFER. POT) 

(COND 

((CDDR  DEFER. POT) 

NIL) 

(T  (CADR  DEFER. POT) ) ) ) 

(T  (QUOTE  TRUE))))))) 

(FAST. ITERATE 

(LAMBDA  (DEFER. POT. PTR) 

(while  (CDR  DEFER. POT. PTR)  bind  SIMP 
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)) 


do  (SELECTQ  (SETQ  SIMP  (SELECTQ  (CAADR  DEFER. POT. PTR) 

(OR  (OR. SIMP  (CADR  DEFER. POT. PTR) 
NIL  T)) 

(IF  (IF. SIMP  (CADR  DEFER. POT. PTR) 

)) 

NIL)) 

(TRUE  (RPLACD  DEFER. POT. PTR  (CDDR  DEFER. POT. PTR))) 
(FALSE  (RETFROM  (QUOTE  NEW. CONTEXT) 

(QUOTE  FALSE))) 

(NIL  (SETQ  DEFER. POT.PTR  (CDR  DEFER. POT. PTR))) 

(PROGN  (SETQ  STACK  (CONS  SIMP  STACK)) 

(RPLACD  DEFER. POT. PTR  (CDDR  DEFER . POT . PTR ) ) ) )) 


(FAST. PROVE 
(LAMBDA  (FORM) 

(NEW. CONTEXT  (AND. SIMP  (LIST  FORM) 

NIL  T)))) 


(OR. SIMP 

(LAMBDA  (STACK  SUBGOALS  FAST.FLG) 

(PROG  (SIMP) 

(SETQ  STACK  (for  X  in  (CDR  STACK)  oolleot 

(LIST  (QUOTE  NOT) 

X))) 

(RETURN  (SELECTQ  (SETQ  SIMP  (NEW. CONTEXT  (AND. SIMP  STACK 

SUBGOALS 

FAST.FLG))) 

(TRUE  (QUOTE  FALSE)) 

(FALSE  (QUOTE  TRUE)) 

(NIL  NIL) 

(LIST  (QUOTE  NOT) 

SIMP)))))) 


(SLOW. ITERATE 

(LAMBDA  (DEFER. POT. PTR) 

(while  (CDR  DEFER. POT. PTR)  bind  SIMP 
do 


(SELECTQ 
(SETQ  SIMP 

(SELECTQ  (CAADR  DEFER. POT. PTR) 

(OR  (OR. SIMP  (CADR  DEFER . POT . PTR )) ) 

(IF  (OR. SIMP  (CAR  (RPLACA  (CDR  DEFER. POT. PTR) 

(CONVERT. IF. TO. OR 

(CADR  DEFER. POT . PTR ) ) ) ) 


)) 


NIL)) 


(TRUE  (RPLACD  DEFER. POT. PTR  (CDDR  DEFER. POT. PTR) ) ) 
(FALSE  (RETFROM  (QUOTE  NEW. CONTEXT) 

(QUOTE  FALSE))) 

(NIL  (SETQ  DEFER. POT. PTR  (CDR  DEFER . POT . PTR )) ) 

(PROGN  (SETQ  STACK  (CONS  SIMP  STACK)) 

(RPLACD  DEFER. POT. PTR  (CDDR  DEFER. POT. PTR) ))))) ) 


* 


(SPLIT. RECURSE 
(LAMBDA  (GOALS) 

(PROG  (SINGLE  SIMP) 

(RETURN  (SELECTQ  (for  DISJUNCT  in  (CDAR  GOALS) 

do  (SELECTQ  (SETQ  SIMP 

(NEW. CONTEXT 

(AND. SIMP  (LIST  DISJUNCT) 
(CDR  GOALS)))) 

(NIL  (RETURN  (QUOTE  NO. LUCK))) 
(FALSE) 

)  (TRUE  (RETURN  (QUOTE  TRUE))) 

"  (COND 

(SINGLE 

(RETURN  (QUOTE  NO.LUCK))) 
(T  (SETQ  SINGLE  SIMP))))) 
(NO.LUCK  (RETFROM  (QUOTE  NEW. CONTEXT) ) ) 

(TRUE) 

(COND 

(SINGLE  (SETQ  STACK  (LIST  SINGLE))) 

(T  (RETFROM  (QUOTE  NEW. CONTEXT) 

(QUOTE  FALSE))))))))) 


